Release notes/1.20

= MediaWiki release notes =

Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it off if you can.

MediaWiki 1.20.5
This is a security and maintenance release of the MediaWiki 1.20 branch.

Changes since 1.20.4

 * (bug 46590) Add hook AbortChangePassword to Special:ChangePassword
 * (bug 47304) SECURITY: Check SVG xml encoding against whitelist
 * Localisation updates from http://translatewiki.net.
 * mwdocgen.php: Implement --version option.
 * Remove svnstat stuff used in Doxygen generation
 * (bug 43594) Correctly supress warnings that were missed after the upstream
 * PHP change to E_STRICT being included in E_ALL.
 * jshint: Allow global mw to be set in mediawiki.js

MediaWiki 1.20.4
This is a security release of the MediaWiki 1.20 branch.

Changes since 1.20.3

 * (bug 47251) SECURITY: Disable external entities in Import
 * (bug 46859) SECURITY: Disable external entities in XMLReader
 * (bug 46084) SECURITY: Sanitize $limitReport before outputting

MediaWiki 1.20.3
This is a security and maintenance release of the MediaWiki 1.20 branch.

Changes since 1.20.2

 * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. (Unbreaks MLEB.)
 * (bug 44010) Context is passed to UserGetLanguageObject.
 * The recursion guard on RequestContext::getLanguage was weakened.
 * (bug 40585) Don't drop 'step="any"' in HTML input fields.
 * (bug 44024) Fixed problems in ObjectCache when using XCache.
 * (bug 44010) FauxRequest leaked cookie data from primary request.
 * (bug 44135/bug 42441) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST
 * (bug 43518) API action=unblock should return the user name, not the full user object
 * (Bug 45355) Prevent read of arbitrary files through mwdoc-filter.php

MediaWiki 1.20.2
This is a maintenance release of the MediaWiki 1.20 branch

Changes since 1.20.1

 * Fix API action=options&reset=1 & unit tests.
 * Fixed backport of 60cc060 to use mDoneWrites — caused User rights, preferences and other things are not saving in 1.20.1.

MediaWiki 1.20.1
This is a security release of the MediaWiki 1.20 branch

Changes since 1.20

 * (bug 42202) Validate options to prevent html injection
 * (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
 * (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
 * Javscript Lint fixes
 * (bug 40632) Remove CleanupPresentationalAttributes feature
 * [Database] Fixed case where trx idle callbacks might be lost.

MediaWiki 1.20
MediaWiki 1.20 is a stable release.

PHP 5.3 now required
Since 1.20, the lowest supported version of PHP is now 5.3.2. Please upgrade PHP if you have not done so prior to upgrading MediaWiki.

Configuration changes in 1.20

 * $wgGitRepositoryViewers defines a mapping from Git remote repository to the Gitweb instance URL used in Special:Version.
 * is no longer needed to make $wgArticlePath work on servers using like nginx, lighttpd, and apache over fastcgi. MediaWiki now always extracts path info from REQUEST_URI if it's available.
 * The user right 'upload_by_url' is no longer given to sysops by default. This only affects installations which have $wgAllowCopyUploads set to true.
 * Removed f-prot support from $wgAntivirusSetup.
 * New variable $wgDBerrorLogTZ to provide dates in the error log in a different timezone than the wiki timezone set by $wgLocaltimezone.
 * New variables $wgDBssl and $wgDBcompress to enable SSL and compression for database connections, if either are available for the selected DB type.
 * $wgUseCombinedLoginLink now defaults to false, making MediaWiki output separate login and create account links by default.

New features in 1.20

 * Added TitleIsAlwaysKnown hook which gets called when determining if a page exists.
 * Added NamespaceIsMovable hook which gets called when determining if pages in a certain namespace can be moved.
 * Added SpecialPageBeforeExecute hook which gets called before SpecialPage::execute.
 * Added SpecialPageAfterExecute hook which gets called after SpecialPage::execute.
 * Added ORMTable, ORMRow and ORMResult classes for additional abstraction of database interaction.
 * Added CacheHelper and associated SpecialCachedPage and CachedAction helper classes.
 * (bug 32341) Add upload by URL domain limitation.
 * &useskin=default will now always display the default skin. Useful for users with a preference for the non-default skin to look at something using the default skin.
 * (bug 27619) Remove preference option to display broken links as link?
 * (bug 34896) jQuery JSON plugin upgraded to v2.3 (2011-09-17).
 * (bug 34302) Add CSS classes to email fields in user preferences.
 * Introduced $wgDebugDBTransactions to trace transaction status (currently PostgreSQL only).
 * (bug 23795) Add parser itself to ParserMakeImageParams hook.
 * Introduce a cryptographic random number generator source api for use when generating various tokens.
 * (bug 30963) Option on Special:Prefixindex and Special:Allpages to not show redirects.
 * (bug 18062) New message when edit or create the local page of a shared file.
 * (bug 22870) Separate interface message when creating a page.
 * (bug 17615) nosummary option should be reassigned on preview/captcha.
 * (bug 34355) Add a variable and parser function for the namespace number.
 * (bug 35649) Special:Version now shows hashes of extensions checked out from git.
 * (bug 35728) Git revisions are now linked on Special:Version.
 * "Show Changes" on default messages shows now diff against default message text
 * (bug 23006) create #speciale parser function.
 * generateSitemap can now optionally skip redirect pages.
 * (bug 27757) New API command just for retrieving tokens (not page-based).
 * Added GitViewers hook for extensions using external git repositories to have a web-based repository viewer linked to from Special:Version.
 * Memcached debug logs can now be sent to their own file logs by setting $wgDebugLogFile['memcached'] to some filepath.
 * (bug 35685) api.php URL and other entry point URLs are now listed on Special:Version
 * Edit notices can now be translated.
 * jQuery upgraded to 1.8.2.
 * jQuery UI upgraded to 1.8.23.
 * QUnit upgraded from v1.2.0 to v1.10.0.
 * (bug 37604) jquery.cookie upgraded to 2011 version.
 * (bug 22887) Add warning and tracking category for preprocessor errors
 * (bug 31704) Allow selection of associated namespace on the watchlist
 * (bug 5445) Now remove autoblocks when a user is unblocked.
 * Added $wgLogExceptionBacktrace, on by default, to allow logging of exception backtraces.
 * Added device detection for determining device capabilities.
 * QUnit.newMwEnvironment now supports passing a custom setup and/or teardown function. Arguments signature has changed. First arguments is now an options object of which 'config' can be a property. Previously 'config' itself was the first and only argument.
 * New getCreator and getOldestRevision methods added to WikiPage class
 * (bug 4220) the XML dump format schema now have unique identity constraints for page and revision identifiers. Patch by Elvis Stansvik.
 * cleanupSpam.php now can delete spam pages if --delete was specified instead of blanking them.
 * Added new hook ChangePasswordForm to allow adding of additional fields in Special:ChangePassword
 * Added new function getDomain to AuthPlugin for getting a user's domain
 * (bug 23427) New magic word which gives the current page ID.  Will be null on previewing a page being created.
 * (bug 37627) UserNotLoggedIn exception to show a generic error page whenever a user is not logged in.
 * Watched status in changes lists are no longer indicated by tags with class "mw-watched". Instead, each line now has a class "mw-changeslist-line-watched" or "mw-changeslist-line-not-watched", and the title itself is surrounded by    tags with class "mw-title".
 * Added ContribsPager::reallyDoQuery hook allowing extensions to data to MyContribs
 * Added new hook ParserAfterParse to allow extensions to affect parsed output after the parse is complete but before block level processing, link holder replacement, and so on.
 * (bug 34678) Added InternalParseBeforeSanitize hook which gets called during Parser's internalParse method just before the parser removes unwanted/dangerous HTML tags.
 * Added new hook AfterFinalPageOutput to allow modifications to buffered page output before sent to the client.
 * (bug 36783) Implement jQuery Promise interface in mediawiki.api module.
 * Make dates in sortable tables sort according to the page content language instead of the site content language
 * (bug 37926) Deleterevision will no longer allow users to delete log entries, the new deletelogentry permission is required for this.
 * (bug 14237) Allow PAGESINCATEGORY to distinguish between 'all', 'pages', 'files' and 'subcats'
 * (bug 38362) Make Special:Listuser includeable on wiki pages.
 * Added support in jquery.localize for placeholder attributes.
 * (bug 38151) Implemented mw.user.getRights for getting and caching the current user's user rights.
 * Session storage can now configured independently of general object cache storage, by using $wgSessionCacheType. $wgSessionsInMemcached has been renamed to $wgSessionsInObjectCache, with the old name retained for backwards compatibility. When this feature is enabled, the expiry time can now be configured with $wgObjectCacheSessionExpiry.
 * Added a Redis client for object caching.
 * Implemented mw.user.getGroups for getting and caching user groups.
 * (bug 37830) Added $wgRequirePasswordforEmailChange to control whether password confirmation is required for changing an email address or not.
 * HTMLForm mutators can now be chained (they return $this)
 * A new message, "api-error-filetype-banned-type", is available for formatting API upload errors due to the file extension blacklist.
 * New hook 'ParserTestGlobals' allows to set globals before running parser tests.
 * Allow importing pages as subpage.
 * Add lang and hreflang attributes to language links on Login page.
 * (bug 22749) Create Special:MostInterwikis.
 * Show change tags when transclude Special:Recentchanges(linked) or Special:Newpages.
 * (bug 23226) Add |class= parameter to image links in order to add class(es) to HTML img tag.
 * (bug 39431) SVG animated status is now shown in long description.
 * (bug 39376) jquery.form upgraded to 3.14.
 * SVG files will now show the actual width in the SVG's specified units in the metadata box.
 * Added ResourceLoader module "jquery.jStorage" (v0.3.0, http://jStorage.info/).
 * (bug 39273) Added AJAX support for "Show changes" (diff) in LivePreview.
 * Added ResourceLoader module "jquery.badge".
 * mw.util.$content now points to the overall content area in the skin rather than just page text content area. If you need the old behaviour please use $( '#mw-content-text').
 * jsMessage has been replaced with a floating bubble notification system complete with auto-hide, multi-message support, and message replacement tags.
 * jquery.messageBox which appears to be unused by both core and extensions has been removed.
 * (bug 34939) Made link parsing insensitive ([HttP://]).
 * (bug 40072) Add CSS classes to items in output of ChangesList pages.
 * Added $wgCopyUploadProxy global to define which proxy to use for copy uploads.
 * (bug 40448) mediawiki.legacy.mwsuggest has been replaced with a new module, mediawiki.searchSuggest, based on SimpleSeach from Extension:Vector.

Known issues in 1.20.0
These are issues that we're targeting to be fixed in a later release in the 1.20 series. Issues may be added or removed from this list as we see fit. For now, it is comprised of those bugs on the 1.20.0 milestone in Bugzilla.


 * (bug 35894): Reports of secret key generation "hanging" on windows
 * This is probably a bug that has been fixed in PHP. If you run into this, try upgrading your PHP.


 * (bug 38334): PHP Notice: Undefined index: href in /www/w/skins/Vector.php on line 416
 * We think this is a problem in some extension. If you see this, try disabling your extensions and check out the logging patch on this bug.  Or try this patch.


 * (bug 39268): [Regression] Toolbar inserts in main textarea only (instead of the focussed textarea)
 * This should only be an issue if you are using the ProofreadPage extension.


 * (bug 40641): Clicking "others" in Special:Version asks to download a file
 * If you encounter this, you can tell your webserver to serve the CREDITS file with text/plain MIME type to fix it.

Bug fixes in 1.20

 * (bug 40939): [Regression] InfoAction: Call to a member function getUserText on a non-object
 * (bug 40780): searchsuggest-containing line ("containing...") doesn't include the entered text
 * (bug 37714): [Regression] Incomplete log entries
 * (bug 27202): API: Add timestamp sort to list=allimages
 * (bug 30245) Use the correct way to construct a log page title.
 * (bug 34237) Regenerate an empty user_token and save to the database when we try to set the user's cookies for login.
 * (bug 32210) New edit emails for watched pages always provide a link to the edit which triggered the mail.
 * (bug 12021) Added user talk link on Special:Listusers.
 * (bug 34445) section edit and TOC hide/show links are excluded from selection and copy/paste on supporting browsers.
 * (bug 34428) Fixed incorrect hash mismatch errors in the DiffHistoryBlob history compression method.
 * (bug 34702) Localised parentheses are now used in more special pages.
 * (bug 34723) When editing a script page on a RTL wiki the textbox should be LTR.
 * (bug 34762) Calling close on a DatabaseBase object now clears the connection.
 * (bug 34863) Show deletion log extract on non-existent file pages if applicable.
 * (bug 28019) Let ?preloadtitle=foo be passed on to target of Special:MyPage and Special:MyTalk.
 * (bug 34929) Show the correct diff when a section edit is rejected by the spam filter.
 * (bug 15816) Add a switch for SETting the search_path (Postgres).
 * (bug 34521) Returning to the previous page after logging in loses any array- valued parameters in the query string.
 * (bug 34735) Updated compressOld.php documentation to mention the different usages of -s and -n parameters depending on compression type.
 * (bug 13896) Rendering of devanagari numbers in automatic '#' number lists.
 * (bug 33689) Upgrade to 1.19 on Postgres fails due to incomplete query when. trying to defer foreign key for externallinks.
 * (bug 32748) Printer friendly version of article decode Unicode chars as a pretty IRI in footer.
 * Removed white border around thumbnails in galleries.
 * (bug 31236) "Next" and "Previous" buttons are shown incorrectly in an RTL environment.
 * (bug 35749) Updated maintenance/checkSyntax.php to use Git instead of Subversion when invoked with the --modified option.
 * (bug 35069) On history pages, the " . . " separator after the number of characters changed in a revision is now suppressed if no text would follow.
 * (bug 18704) Add a unique CSS class or ID to the tagfilter table row at RecentChanges
 * (bug 33564) transwiki import sometimes result in invalid title.
 * (bug 35572) Blocks appear to succeed even if query fails due to wrong DB structure
 * (bug 31757) Add a word-separator between help-messages in HTMLForm
 * (bug 30410) Removed deprecated $wgFilterCallback and the 'filtered' API error.
 * (bug 32604) Some messages needs escaping of wikitext inside username.
 * (bug 36537) Rename wfArrayToCGI to wfArrayToCgi for consistency with wfCgiToArray.
 * (bug 25946) The message on the top of Special:RecentChanges is now displayed. in user language instead of content language.
 * (bug 35264) Wrong type used for  in export.xsd
 * (bug 24985) Use $wgTmpDirectory as the default temp directory so that people who don't have access to /tmp can specify an alternative.
 * (bug 27283) SqlBagOStuff breaks PostgreSQL transactions.
 * (bug 35727) mw.Api ajax should put token parameter last.
 * (bug 37708) mw.Uri.clone should make a deep copy.
 * (bug 38024) ResourceLoader should not create empty stylesheets for modules that don't have stylesheets.
 * (bug 36812) Special:ActiveUsers "Hide bots" should hide users from any group having the "bot" user right, instead of just the default "bot" user group.
 * (bug 35082) mw.util.addPortletLink incorrectly adds link to mutiple  tags.
 * (bug 36495) Sanitizer::fixDeprecatedAttributes should convert "align" attribute to margin or float instead of text-align (for non-table-cells).
 * (bug 36991) jquery.tablesorter should extract date sort format from date string instead of global config. Dates like "April 1 2012" and "1 April 2012" now sort correctly regardless of the content language's DefaultDateFormat.
 * (bug 31895) mw.loader mode now correct when triggered from a $.fn.ready handler that is bound before mediawiki.js's handler (e.g. browser-userscripts like greasemonkey).
 * (bug 38152) jquery.tablesorter: Use .data instead of .attr, so that live values are used instead of just the fixed values from when the tablesorter was initialized.
 * (bug 38093) Gender of changed user groups missing in Special:Log/rights
 * (bug 35893) Special:Block needs to load mediawiki.special.block.js.
 * (bug 37331) ResourceLoader modules sometimes execute twice in Firefox
 * (bug 31644) GlobalUsage, CentralAuth and AbuseLog extensions should not use insecure links to foreign wikis in the WikiMap.
 * (bug 36073) Avoid duplicate element IDs on File pages.
 * (bug 25095) Special:Categories should also include the first relevant item when "from" is filled.
 * (bug 35526) jquery.tablesorter now uses a stable sort.
 * (bug 38953) --memory-limit switch not working for runJobs.php.
 * (bug 33037) Make subpage of Special:newfiles control how many files are returned, like in previous versions.
 * (bug 36524) "Show" options on Special:RecentChanges and Special:RecentChangesLinked are now remembered between successive clicks.
 * (bug 26069) Page title is no longer "Error" for all error pages.
 * (bug 39297) Show warning if thumbnail of animated image will not be animated.
 * (bug 38249) Parser will throw an exception instead of outputting gibberish if PCRE is compiled without support for unicode properties.
 * (bug 30390) Suggested file name on Special:Upload should not contain illegal characters.
 * EXIF below sea level GPS altitude data is now shown correctly.
 * (bug 39284) jquery.tablesorter should not consider "."" or "?"" to be a currency.
 * (bug 39273) "Show changes" should not be incorrectly displayed in the Live Preview state.
 * Made body-content lang attribute honor the variant language when it is set.
 * (bug 36761) "Mark pages as visited" now submits previously established filter options.
 * (bug 39635) PostgreSQL LOCK IN SHARE MODE option is a syntax error.
 * (bug 36329) Accesskey tooltips for Firefox 14 on Mac should use "ctrl-option-" prefix.
 * (bug 32552) Drop unused database field cat_hidden from table category.
 * (bug 40214) Category pages no longer use deprecated "width" HTML attribute.
 * (bug 39941) Add missing stylesheets to the installer pages
 * In HTML5 mode, allow new input element types values (such as color, range..)
 * (bug 36151) mw.Title: Don't limit extension in title parsing.
 * (bug 38158) jquery.byteLimit sometimes causes an unexpected 0 maxLength being enforced.
 * (bug 38163) jquery.byteLimit incorrectly limits input when using methods other than basic per-char typing.
 * (bug 34495) patrol log now credit the user patrolling (instead of patrolled user).
 * (bug 31676) ResourceLoader should work around IE stylesheet limit.
 * (bug 40498) ResourceLoader should not output an empty "@media print { }" block.
 * (bug 40500) ResourceLoader should not ignore media-type for urls in debug mode.
 * (bug 40660) ResourceLoaderWikiModule should not convert " " to a space for pages from the MediaWiki-namespace.

API changes in 1.20

 * (bug 34316) Add ability to retrieve maximum upload size from MediaWiki API.
 * (bug 34313) MediaWiki API intro message about "HTML format" should mention the format parameter.
 * (bug 32384) Allow descending order for list=watchlistraw.
 * (bug 31883) Limit of bkusers of list=blocks and titles of action=query is not documented in API help.
 * (bug 32492) API now allows editing using pageid.
 * (bug 32497) API now allows changing of protection level using pageid.
 * (bug 32498) API now allows comparing pages using pageids.
 * (bug 30975) API import of pages with invalid characters in this wiki leads to Fatal Error.
 * (bug 30488) API now allows listing of backlinks/embeddedin/imageusage per pageid.
 * (bug 34927) Output media_type for list=filearchive.
 * (bug 28814) add properties to output of action=parse.
 * (bug 33224) add variants of content language to meta=siteinfo.
 * (bug 32643) action=purge with forcelinkupdate no longer crashes when ratelimit is reached.
 * The paraminfo module now also contains result properties for most modules.
 * (bug 32348) Allow descending order for list=alllinks.
 * (bug 31777) Upload unknown error ``fileexists-forbidden''.
 * (bug 32382) Allow descending order for list=iwbacklinks.
 * (bug 32381) Allow descending order for list=backlinks, list=embeddedin and list=imageusage.
 * (bug 32383) Allow descending order for list=langbacklinks.
 * API meta=siteinfo can now return the list of known variable IDs.
 * (bug 35980) list=deletedrevs now honors drdir correctly in "all" mode (mode #3).
 * (bug 29290) API avoids mangling fields in continuation parameters
 * (bug 36987) API avoids mangling fields in continuation parameters
 * (bug 30836) siteinfo prop=specialpagealiases will no longer return nonexistent special pages
 * (bug 38190) Add "required" flag to some token params for hint in api docs.
 * (bug 27567) Add file repo support to prop=duplicatefiles.
 * (bug 27610) Add archivename for non-latest image version to list=filearchive
 * (bug 38231) Add xml parse tree to action=parse.
 * Watchlist notification timestamp may be queried by page and may be updated via the API.
 * (bug 38904) prop=revisions&rvstart=... no longer blows up when continuing.
 * (bug 39032) ApiQuery generates help in constructor.
 * (bug 11142) Improve file extension blacklist error reporting in API upload.
 * (bug 39665) Cache AllowedGenerator array so it doesn't autoload all query classes on every request.

Languages updated in 1.20
MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports.


 * Emilian (egl) added.
 * Tornedalen Finnish (fit) added.
 * Mizo (lus) added.
 * Santali (sat) added.
 * (bug 34192) Namespace gender aliases for Albanian languages (sq & aln).
 * (bug 35541) Namespace gender aliases for Croatian (hr).
 * (bug 36012) Space in $separatorTransformTable should be non-breaking in Portuguese, Esperanto and Udmurt.
 * Turoyo (tru) added.
 * Cyrillic-Latin language converter added for Uzbek (uz).

Other changes in 1.20

 * The user_token field is now left empty until a user attempts to login and cookies need to be set. It is also now possible to reset every user's user_token simply by clearing the values in the user_token column.
 * Removed ./tests/qunit/index.html from core. It wasn't actively maintained and has been made obsolete when Special:JavaScriptTest/qunit was introduced, which actually uses ResourceLoader, LocalSettings and the Skin.
 * Removed $wgDBtransactions global. This was only checked in one class and only applies to MyISAM or similar DBs. Those should only be used for archived sites anyway. We can't get edit conflicts on such sites, so the WikiPage code wasn't useful there either.
 * Deprecated mw.user.name in favour of mw.user.getName.
 * Deprecated mw.user.anonymous in favour of mw.user.isAnon.
 * Deprecated DatabaseBase functions newFromParams, newFromType, set, quote_ident, and escapeLike were removed.
 * Use of __DIR__ instead of dirname( __FILE__ ).
 * OutputPage::wrapWikiMsg no longer supports the 'options' parameter. It was not used and complicated migration to Message class.
 * Live preview functionality has been improved and moved into the 'mediawiki.action.edit.preview' module. The old 'mediawiki.legacy.preview' module has been removed.
 * (bug 40448) Removed mediawiki.legacy.mwsuggest module, and removed the following that has become obsolete: - globals $wgEnableMWSuggest and $wgMWSuggestTemplate. - mw.config.values wgMWSuggestTemplate and wgSearchNamespaces. - method SearchEngine::getMWSuggestTemplate.

Compatibility
MediaWiki 1.20 requires PHP 5.3.2. PHP 4 is no longer supported.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for IBM DB2 and Oracle.

The supported versions are:


 * MySQL 5.0.2 or later
 * PostgreSQL 8.3 or later
 * SQLite 3.3.7 or later
 * Oracle 9.0.1 or later

Upgrading
1.20 has several database changes since 1.19, and will not work without schema updates.

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on older releases, see HISTORY.

Online documentation
Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):

https://www.mediawiki.org/wiki/Documentation

Mailing list
A mailing list is available for MediaWiki user support and discussion:

https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in #mediawiki on irc.freenode.net.