Release Notes: A cross-site scripting (XSS) vulnerability was fixed. Fatal errors with unusual file repository configurations, such as ForeignAPIRepo were fixed. The "change password" link on Special:Preferences was changed to have the correct returnto parameter.
Release Notes: XSS and CSRF vulnerabilities were fixed.
Release Notes: Possible cross-site information leaks using the callback parameter for JSON-formatted results in the API are prevented by dropping user credentials.
Release Notes: This release fixes a potential XSS issue affecting api.php on Microsoft Internet Explorer only.
Release Notes: An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 charset autodetection was located in the AJAX support module, affecting MSIE users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled. Minor compatibility fixes for IIS and PostgreSQL are also included.
Release Notes: An XSS injection vulnerability was located in the Ajax support module, affecting MediaWiki 1.6.x and up when the optional $wgUseAjax setting is enabled. There is no danger in the default configuration, with $wgUseAjax off. If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix: 1.8.3, 1.7.2, 1.6.9, or 1.9.0rc2 release candidate.
Release Notes: A bug in decoding of certain encoded links could allow injection of raw HTML into page output, which could potentially lead to XSS attacks.
Release Notes: A bug in edit comment formatting that could send PHP into an infinite loop if certain malformed links were included was fixed. In most installations, this would cause the script to fail after PHP's 30-second failsafe timeout. Some improvements were made to the installer, which should make installation possible on a system with a broken MySQL "root" account.
Release Notes: Detection for uploads of Windows Metafile (.wmf) images was added to help protect against a client-side vulnerability in unpatched Microsoft Windows operating systems. Additionally, a removeUnusedAccounts.php maintenance script was added. This replaces an older Perl script which had not been updated for the new schema in 1.5.