-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

MediaWiki 1.5.4 is a security and bugfix maintenance release.

A hardcoded internal placeholder string has been replaced with a random one. This closes a hole where security checks in inline style attributes could be bypassed, injecting JavaScript code that could execute in Microsoft Internet Explorer.

Other browsers would not be vulnerable.

Several minor fixes are included in this release, most notably a fix to clear the "you have new messages" flag properly for usernames containing spaces when e-mail notification is enabled.

See the changelog at the end of the release notes for a full list of fixes.

Release notes: http://sourceforge.net/project/shownotes.php?release_id=379951

Download: http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5.4.tar.gz?download

MD5 checksum: c5cff706c4d2fc8dd5aabd10f1714be0 mediawiki-1.5.4.tar.gz

SHA-1 checksum: 12ccdbdd295152937595d4a00c41ae156bf19015 mediawiki-1.5.4.tar.gz

Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ

Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system: http://bugzilla.wikimedia.org/

Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)