MediaWiki 1.3.6 is a security update, which contains fixes for several cross-site scripting and SQL injection vulnerabilities discovered during a code review. All MediaWiki users are strongly urged to upgrade to this latest release.

Changes from 1.3.5: * (bug 296) Variables in user interface messages are no longer substituted at install time, so changes to the site name etc should be easier to make * (bug 149) Special:Recentchanges "changes from" link preserves limit * (bug 433) tooltip for "Undelete" tab now labeled correctly * (bug 439) unclickable "Move" tab no longer displays on protected pages * (bug 484) graceful deletion of images where the actual file is missing * (bug 686) fixed [[plural]]s in Catalan localization * Fixed potential HTML/JavaScript injection attack in the UnicodeConverter extension. (This extension is not enabled by default.) * Fixed potential HTML/JavaScript injection attack via raw page views to a maliciously crafted wiki page. * (bug 187, bug 669) Fixed centered thumbnails, using <div> instead of <span>. * catch MySQL error 2000 during installation. * (bug 704) Removed misleading LocalSettings.sample * Fix cross site scripting bugs in SpecialIpblocklist, SpecialEmailuser * Fix SQL injection and cross site scripting bugs in SpecialMaintenance * Fix cross site scripting bugs and possible filename validation vulnerability in ImagePage. * and more of that sort

Release notes: http://sourceforge.net/project/shownotes.php?release_id=275099

Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.3.6.tar.gz?download

Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system: http://bugzilla.wikipedia.org/

Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net

-- brion vibber (brion @ pobox.com)