Mailing List Archive

MediaWiki 1.6.6 released (security)
Hash: SHA1

MediaWiki 1.6.6 is a security and bugfix maintenance release.

An XSS injection vector in brace replacement has been fixed, as have some
potential problems with table parsing. Upgrading is strongly recommended
for all users of 1.6. MediaWiki versions 1.5 and earlier are not affected.

As a quick fix, if you are not able to fully upgrade to 1.6.6 you can apply this
two-line patch to fix the main known problems:

Additionally some localization and user interface updates are included.

* Correct "revertpage" message in English
* (bug 5507) Logouttext uses now wiki markup
* (bug 5857, 5957) Update for German localisation (de)
* (bug 5586) <gallery> treated text as links
* (bug 5957) Update for Hebrew language (he)
* (bug 6025) SpecialImport: wrong message when no file selected
* (bug 6015) EditPage: add spacing in the boxes "edit is minor" and "watch this"
* (bug 6018) Userrights: new message when no user specified ('nouserspecified')
* (bug 6055) Fix for HTML/JS injection bug in variable handler (found by Nick
* Reordered wiki table handling and __TOC__ extraction in the parser to better
handle some overlapping tag cases.
* Only the first __TOC__ is now turned into a TOC.
* (bug 361) URL in URL, they were almost fixed. Now they are.

Full release notes:


MD5 checksum:
b19b11dbe4a9c61bf857f6584e4d6010 mediawiki-1.6.6.tar.gz

SHA-1 checksum:
debb5970dd30632b0d6fff6dd95727da9d730f6f mediawiki-1.6.6.tar.gz

Before asking for help, try the FAQ:

Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)

Wiki admin help mailing list:

Bug report system:

Play "stump the developers" live on IRC:
#mediawiki on

- -- brion vibber (brion @
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Mozilla -

MediaWiki-announce mailing list