Release notes/1.19

= MediaWiki release notes =

Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it off if you can.

MediaWiki 1.19.18
This is a security release of the MediaWiki 1.19 branch.

Changes since 1.19.17

 * SECURITY: Prepend jsonp callback with comment.
 * SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.

MediaWiki 1.19.17
This is a security and maintenance release of the MediaWiki 1.19 branch.

Changes since 1.19.16

 * SECURITY: Prevent external resources in SVG files.
 * MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.

MediaWiki 1.19.16
This is a security release of the MediaWiki 1.19 branch.

Changes since 1.19.15

 * SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.

MediaWiki 1.19.15
This is a security and maintenance release of the MediaWiki 1.19 branch.

Changes since 1.19.14

 * Fixed resetting passwords.
 * Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.

MediaWiki 1.19.14
This is a security and maintenance release of the MediaWiki 1.19 branch.

Changes since 1.19.13

 * SECURITY: Add CSRF token on Special:ChangePassword.
 * Set a title for the context during import on the cli.

MediaWiki 1.19.13
This is a security and maintenance release of the MediaWiki 1.19 branch.

Changes since 1.19.12

 * SECURITY: API: Don't find links in the middle of api.php links.
 * Use the correct branch of the extensions' git repositories.

MediaWiki 1.19.12
This is a security release of the MediaWiki 1.19 branch.

Changes since 1.19.11

 * SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non- whitelisted namespace.
 * SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.

MediaWiki 1.19.11
This is a security release of the MediaWiki 1.19 branch.

Changes since 1.19.10

 * SECURITY: Sanitize shell arguments to DjVu files, and other media formats

MediaWiki 1.19.10
This is a security release of the MediaWiki 1.19 branch.

Changes since 1.19.9

 * SECURITY: Disallow stylesheets in SVG Uploads
 * SECURITY: Don't normalize U+FF3C to \ in CSS Checks
 * SECURITY: Disallow -o-link in styles
 * SECURITY: Return error on invalid XML for SVG Uploads
 * SECURITY: Fix RevDel log entry information leaks

MediaWiki 1.19.9
This is a security and maintenance release of the MediaWiki 1.19 branch.

Changes since 1.19.8

 * SECURITY: Don't cache when a call could autocreate
 * SECURITY: Improve css javascript detection
 * Fix behaviour $wgVerifyMimeType = false; in Upload
 * Translations

MediaWiki 1.19.8
2013-09-03

This is a security and maintenance release of the MediaWiki 1.19 branch.

Changes since 1.19.7

 * SECURITY: Sanitize ResourceLoader exception messages
 * SECURITY: Token-getting functions will fail when using jsonp callbacks.
 * SECURITY: Fix extension detection with 2 .'s
 * Allow a string other than '*' as condition for DatabaseBase::delete
 * Purge upstream caches when deleting file assets.
 * jquery.tablesorter: Add missing dependency on jquery.mwExtension

MediaWiki 1.19.7
2013-05-21

This is a security release of the MediaWiki 1.19 branch

Changes since 1.19.6

 * SECURITY: Run file validation checks on chunked uploads, and chunks of upload, during the upload process.

MediaWiki 1.19.6
2013-04-30

This is a security and maintenance release of the MediaWiki 1.19 branch

Changes since 1.19.5

 * SECURITY: Check SVG xml encoding against whitelist
 * Added AbortChangePassword hook to allow extensions to abort password changes from Special:ChangePassword
 * Localisation updates from http://translatewiki.net.
 * mwdocgen.php: Implement --version option.
 * Remove svnstat stuff used in Doxygen generation
 * E_USER_DEPRECATED undefined prior to php 5.3

MediaWiki 1.19.5
2013-04-15

This is a security and maintenance release of the MediaWiki 1.19 branch

Changes since 1.19.4

 * SECURITY: Disable external entities in Import
 * SECURITY: Disable external entities in XMLReader
 * SECURITY: Sanitize $limitReport before outputting
 * Fix notices displayed on PHP 5.4
 * Don't drop 'step="any"' in HTML input fields.

MediaWiki 1.19.4
2013-03-04

This is a security release of the MediaWiki 1.19 branch

Changes since 1.19.3

 * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API.
 * Context is passed to UserGetLanguageObject.
 * The recursion guard on RequestContext::getLanguage was weakened.
 * (/) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST
 * API action=unblock should return the user name, not the full user object

MediaWiki 1.19.3
2012-11-30

This is a security release of the MediaWiki 1.19 branch

Changes since 1.19.2

 * Prevent session fixation in Special:UserLogin (CVE-2012-5391)
 * Prevent linker regex from exceeding PCRE backtrack limit
 * Increase permitted runtime for testParserTest (only used for continuous integration).
 * Updated messages translations from http://translatewiki.net/

MediaWiki 1.19.2
2012-08-31

This is a security release of the MediaWiki 1.19 branch

Changes since 1.19.1

 * File: link to non-existing file can inject html
 * Hidden block text leaking to admins
 * LDAP password leakage
 * Disallow framing of api results
 * Enforce language codes to be html safe
 * Check global blocks on account creation

MediaWiki 1.19.1
2012-06-13

This is a security and maintenance release of the MediaWiki 1.19 branch

Changes since 1.19.0

 * Properly quote table names in DatabaseBase::tableName

MediaWiki 1.19
2012-05-02

This is a stable release of the MediaWiki 1.19 branch. Please test it and let us know what you think of it. Beta releases are not recommended for use in production.

Changes since 1.19.0

 * Fixed "Illegal string offset 'LIMIT'" warnings in updater
 * Correctly escape uselang attribute to prevent xss
 * Expanded Blacklist for SVG Files

Changes since 1.19 beta 2

 * Special:Watchlist no longer sets links to feed when the user is anonymous
 * Special:Log/patrol doesn't indicate whether patrolling was automatic

Changes since 1.19 beta 1

 * Including a special page no longer sets the page's title to the included page.
 * Edit summaries are no longer transformed in notification e-mails.
 * Help message for e-mail is shown again in user preferences.
 * $3 and $4 parameters are now substituted correctly in message "movepage-moved".
 * Edit links are no longer displayed when display old page versions
 * User name should be normalized on Special:Contributions.
 * If heading has a trailing space after == then its name is not preloaded into edit summary on section edit.
 * New ID mw-content-text around the actual page text, without categories, contentSub, ... The same div often also contains the class mw-content-ltr/rtl.
 * Proxy and DNS blacklist blocking works again
 * jquery.byteLimit shouldn't set element specific variables outside the "return this.each" loop.
 * Remove or skip strip markers from tag hooks like &lt;nowiki&gt; in core parser functions which operate on strings, such as padleft.
 * Don't expose strip markers when a tag appears inside a link inside a heading.
 * Fixed exposure of tokens through load.php that could have facilitated CSRF attacks

Configuration changes in 1.19

 * Removed SkinTemplateSetupPageCss hook; use BeforePageDisplay instead.
 * movefile right granted by default to registered users.
 * Default cookie lifetime ($wgCookieExpiration) is increased to 180 days.
 * Removed old user.user_options.
 * $wgMaxImageArea now applies to jpeg files if they are not scaled with ImageMagick.
 * Introduced $wgQueryPageDefaultLimit (defaults to 50) for the number of items to show by default on query pages (special pages such as Whatlinkshere).
 * Increase the length of ug_group.
 * Removed $wgEnableTooltipsAndAccesskeys.
 * Removed $wgVectorShowVariantName.
 * Removed $wgExtensionAliasesFiles. Use $wgExtensionMessagesFiles.
 * Removed $wgResourceLoaderInlinePrivateModules, now always enabled.

New features in 1.19

 * Add ability to get all interwiki prefixes also if the interwiki cache is used.
 * $wgDnsBlacklistUrls now accepts an array with url and key as the elements to work with DNSBLs that require keys, such as Project Honeypot.
 * Add support for custom loadScript sources to ResourceLoader.
 * Unicode space separator characters (Zs) now terminates external links and images links.
 * Add public method to mw.loader to get module names from registry.
 * Parameters to special pages included in wikitext can now be passed as with templates.
 * Installer now issues a warning if mod_security is present.
 * Add support for a filter callback function in jQuery byteLimit plugin.
 * Added two new GetLocalURL hooks to better serve extensions working on a limited type of titles.
 * Added a --no-updates flag to importDump.php that skips updating the links tables.
 * Most presentational html attributes like valign are now converted to inline css style rules. These attributes were removed from html5 and so we clean them up when $wgHtml5 is enabled. This can be disabled using $wgCleanupPresentationalAttributes.
 * Magic words (time and number-formatting ones, plus DIRECTIONMARK, but not NAMESPACE) now depend on the page content language instead of the site language. In theory this sets the right magic words in system messages, although they are not used there.
 * Add page_props to RefreshLinks::deleteLinksFromNonexistent.
 * Clear page_props table on page deletion.
 * Hook added to check for exempt from account creation throttle.
 * Add configuration variable for setting custom priorities when generating sitemaps.
 * Add array support for space-separated list attributes (like 'class') in the Html helper class.
 * Add checkered background image on hover on files pages.
 * mediawiki.html: Add support for numbers and booleans in the attribute values and element contents.
 * Conversion script between Tifinagh and Latin for the Tachelhit language.
 * Add options 'noreplace' and 'noerror' to to stop it from replace an already existing default sort, and suppress error.
 * Rewrote revision delete related messages to allow better localisation.
 * LanguageConverter now depends on the page content language instead of the wiki content language.
 * Jump links will now be usable in CSS-capable browsers instead of only in outdated text browsers.
 * New common*.css files usable by skins instead of having to copy piles of generic styles from MonoBook or Vector's css.
 * Some deprecated presentational html attributes will now be automatically converted to css.
 * Add support for namespaces in Special:RecentChanges subpage filter syntax.
 * The default user signature now contains a talk link in addition to the user link.
 * Add link of old page title to MediaWiki:Delete_and_move_reason.
 * Added hook BitmapHandlerCheckImageArea.
 * Add $wgDBprefix option to cli installer.
 * getUserPermissionsErrors and getUserPermissionsErrorsExpensive hooks are now also called when checking for 'read' permission.
 * Introduce $wgEnableSearchContributorsByIP which controls whether searching for an IP address redirects to the contributions list for that IP.
 * Database::update should take array of tables too.
 * Add "Inverse namespaces" option to Special:Contributions.
 * Add byte length of revision to Special:Contributions.
 * Added $wgDisableUploadScriptChecks to allow uploading of files containing HTML or JS. DISABLING THESE CHECKS IS VERY DANGEROUS.
 * New path mappings can be added using the WebRequestPathInfoRouter hook and adding paths to the PathRouter.
 * Special:ActiveUsers now allows a subpage to be used as value for the "target" query parameter (eg. Special:ActiveUsers/Username).
 * New JavaScript variable wgPageContentLanguage.
 * Added new debugging toolbar, enabled with $wgDebugToolbar.
 * Differences in the history page now uses slightly better colors for people perceiving colors differently.
 * Upgrade jQuery to 1.7.1.
 * jQuery UI upgraded to 1.8.17.
 * Extensions can use the 'Language::getMessagesFileName' hook to define new languages using messages files outside of core.
 * Add 'Associated namespace' checkbox to Special:Contributions.
 * Added $wgSend404Code, true by default, which can be set to false to send a 200 status code instead of 404 for nonexistent articles.
 * Link to the broken image tracking category from Special:Wantedfiles.
 * Add timestamp to job queue.
 * Implement SpecialPage for running javascript tests. Disabled by default, due to tests potentially being harmful, not to be run on a production wiki. Enable by setting $wgEnableJavaScriptTest to true.
 * Extensions can use the RequestContextCreateSkin hook to override what skin is loaded in some contexts.
 * Show $wgQueryCacheLimit on cached query pages.
 * Add an option to allow all pages to be exported by Special:Export.
 * mediawiki.js Message object constructor is now publicly available as mw.Message.
 * Allow CSS class per tooltip (tipsy).
 * Add accesskey/tooltip to submit buttons on Special:EditWatchlist.
 * Inline rendering/thumbnailing for Gimp XCF images.
 * Namespace has it's own XML tag in the XML dump file.
 * Redirect tag is now resolved in XML dump file.
 * sha1 xml tag added to XML dump file.
 * Badtitle error page now emits a 400 HTTP status.
 * Special:MovePage now has a dropdown menu for namespaces.
 * Special:Version now shows git HEAD sha1 when available.
 * Refactor mw.toolbar to allow dynamic additions at any time.
 * Now possible to specify separate section title and edit summary when adding a new section to a page via the edit API action.

Bug fixes in 1.19

 * $wgUploadNavigationUrl should be used for file redlinks if $wgUploadMissingFileUrl is not set. The first was used for this until the second was introduced in 1.17.
 * BREAKING CHANGE: Style rules for wikitable are now more specific and prevent inheritance to nested tables which caused various issues ( and ). If your wiki has overriden rules for ".wikitable", please revise them and adjust where neccecary. For comparison, use the "table.wikitable" section in skins/common/shared.css as base.
 * $wgUploadNavigationUrl is now used for file redlinks if $wgUploadMissingFileUrl is not set. The former was used for this until the second was introduced in 1.17.
 * Move 'editondblclick' event listener down from body to div#bodyContent.
 * The check for posix_isatty in maintenance scripts did not detect when the function exists but is disabled. Introduced Maintenance::posix_isatty.
 * Changed installer-generated LocalSettings.php to use require_once instead require for included extensions.
 * Do not convert text in the user interface language to another script.
 * Previewing user JS/CSS pages didn't load other user JS/CSS pages.
 * ResourceLoader modules with paths to nonexistent files cause PHP warnings/notices to be thrown.
 * Fix for HTMLForms using GET that were breaking when non-friendly URLs are used.
 * Preventing half truncated multi-byte unicode characters when truncating log comments.
 * Show --batch-size option in help of maintenance scripts that support it.
 * Magic quotes cleaning was not comprehensive, key strings were not unescaped.
 * Importers no longer can 'edit' or 'create' a fully-protected page by importing a new revision into it.
 * Allow moving the associated talk pages of subpages even if the base page has no subpage.
 * Per page edit-notices now work in namespaces without subpages enabled.
 * $wgEnotifUseJobQ is no longer unconditionally enqueueing jobs.
 * File names are now restricted on upload to 240 bytes, because of restrictions on some of the database fields.
 * Timezones are now recognised in user preferences when offset is different due to DST.
 * "summary" parameter now also works when undoing revisions.
 * "move succeeded" text displayed bluelinks even when redirect was suppressed.
 * Special:UserLogin's title on Special:SpecialPages now says "create account" when the user cannot create an account.
 * 'usercreated' message now supports GENDER.
 * Our phpunit.php script can now be executed from another directory.
 * Setting $wgEmailConfirmToEdit to true no longer removes diffs. from recent changes feeds.
 * add current time to message wlnote on Special:Watchlist.
 * $wgFeedDiffCutoff did not affect new pages.
 * Add wfRemoveDotSegments for use in wfExpandUrl.
 * Do not display "No higher resolution available" for dimensionless files (like audio files).
 * Add wfAssembleUrl for use in wfExpandUrl.
 * fixed - wfExpandUrl expands dot segments now.
 * Upload comments now truncated properly, and don't have brackets.
 * Special:PermanentLink now show an error message when no subpage was specified.
 * Special:Newpages now shows the new page name for moved pages.
 * The way to search blocked usernames in block log should be clearer.
 * eAccelerator shared memory caching has been removed since it is now disabled by default and is buggy. APC, XCache and WinCache are not affected.
 * Installer now refuses to install if php was not compiled with Ctype support.
 * Remove "trackback" feature entirely from core.
 * Special:BlockList prefills the username in the input field if using the Special:BlockList/username URL.
 * Make JavaScript variables wgSeparatorTransformTable and wgDigitTransformTable depend on page content language so the sort script sorts correctly more often.
 * Expose wgRedirectedFrom in JavaScript.
 * History tab not collapsed when the screen is narrow.
 * Use new section summary when the action of adding a new section also happens to create the page.
 * Remove EmailAuthenticationTimestamp from database when a email address is removed.
 * Empty page get a empty bytes attribute in Export/Dump.
 * Viewing a User or User talk of username resembling IP ending with .xxx causes Internal error.
 * Warning about undefined index in certain situations when $wgLogRestrictions causes the first log type requested to be removed but not the others.
 * Use separate message ('prefixindex-namespace') for title of Special:PrefixIndex rather then re-using Special:AllPages's allinnamespace.
 * Special:Block now allows you to confirm you want to block yourself when using non-normalized username.
 * News icon shown for news:// URLs but not for news: URLs.
 * Make mw.util.addCSS resistant to IE's @font-face bug by setting cssText after DOM insertion.
 * When adding a new section to a page with section=new, the text is now always added to the current version of the page.
 * Fix uploads of SVGs exported by Adobe Illustrator by expanding XML entities correctly.
 * Embeddable ResourceLoader modules (user.options, user.tokens) should be loaded in &lt;head&gt; for proper dependency resolution.
 * Removed method Skin::makeGlobalVariablesScript has been readded for backward compatibility.
 * Make sure tracking category messages expand variables like relative to correct title.
 * ISO-8601 week-based year number (format character 'o') is now calculated correctly with respect to timezone.
 * InstantCommons now fetches content from Wikimedia Commons using HTTPS when the local wiki is served over HTTPS.
 * clearTagHooks doesn't clear function hooks.
 * Function tag hooks don't appear on Special:Version.
 * Files with IPTC blocks we can't read no longer prevent extraction of exif or other metadata.
 * Remove action "historysubmit" from history pages.
 * mw.config wgAction should contain the actually performed action instead of whatever the query value contains.
 * Add CSS hook for current WikiPage action.
 * Common border-bottom color for &lt;abbr&gt; should inherit default (text) color.
 * Display file sizes in appropriate units.
 * and related variables are no longer blank after doing a null edit.
 * $wgUsersNotifiedOnAllChanges should not send e-mail to user who made the edit.
 * Decoding %2B with mw.Uri.decode results in ' ' instead of +.
 * QueryPage-based special pages no longer misses *-summary message.
 * Other sizes links are no longer generated for wikis without a 404 thumbnail handler.
 * Enforce byteLimit for page title input on Special:MovePage.
 * CSSMin::remap doesn't respect its $embed parameter.
 * Special:Contributions/newbies now shows the contributions for the user "newbies". New user contributions are obtained using the form or using ?contribs=newbie in URL.
 * It is now possible to delete images that have no corresponding description pages.
 * GlobalFunctions.php line 1312: Call to a member function getText on a non-object.
 * Group dynamically inserted CSS into a single &lt;style&gt; tag, to work around a bug where not all styles were applied in Internet Explorer.
 * Broken or invalid titles can't be removed from watchlist.
 * Older skins using useHeadElement=false were broken in 1.18.
 * [mw.config] wgActionPaths should be an object instead of a numeral array.
 * mw.util.tooltipAccessKeyPrefix should be alt-shift for Chrome on Windows
 * Special:Categories should also include the first relevant item when "from" is filled.
 * Indents and lists are now aligned
 * An error occurred while changing your watchlist settings for Special:WhatLinksHere/Example

API changes in 1.19

 * Made action=edit less likely to return "unknownerror", by returning the actual error message (which may have come from a hook call or similar).
 * siprop=interwikimap can now use the interwiki cache.
 * Add API search prefix support.
 * Set forgotten parameter types in ApiQueryIWLinks.
 * do not output NULL parentid with list=deletedrevs&drprop=parentid.
 * siprop=interwikimap and siprop=languages can use silanguagecode to have a best effort language name translation. Use CLDR extension for best result.
 * action=expandtemplates should not silently override invalid title inputs.
 * Create API to fetch MediaWiki's language fallback tree structure.
 * Allow show/hide of account blocks, temporary blocks and single IP address blocks for list=blocks.
 * Add support to only return keys in ApiAllMessages.
 * The API now respects $wgShowHostnames and won't share the hostname in severedby if it's set to false.
 * wlexcludeuser parameter added to ApiFeedWatchlist.
 * Links on redirect pages no longer cause the redirect page to show up as a redirect to the linked page on Special:Whatlinkshere.
 * API: Move captchaid/captchaword of action=edit from core to Captcha extension(s).
 * Added 'APIGetDescription' hook.
 * Paraminfo for parameter "generator" of the query module shows too many types.
 * Empty page get no size attribute in API output.
 * Undefined property notice in querypages API.
 * API should allow purge by pageids.
 * API examples should explain what they do.
 * Api incorrectly calls ApiBase::parseMultiValue if allowed values is given as an array.
 * and related variables are no longer blank after calling action=purge&forcelinkupdate.
 * action=watch now parses messages using the correct title instead of "API".
 * ResourceLoaderWikiModule should auto-update when messages (created or overwritten) in the MediaWiki namespace change.

Languages updated in 1.19
MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports.


 * Canadian English (en-ca) (new).
 * Norwegian (bokmål) (nb) (renamed from no).
 * Uighur (Latin) (ug-latn) was incorrectly marked as right-to-left language.
 * Make pt-br a fallback of pt.
 * Set fallback language of Assamese from Bengali to English.
 * Update date format for dsb and hsb: month names need the genitive.
 * Serbian variant conversion improvements (Nikola Smolenski).
 * Lower diacritics are invisible in titles in Indic languages Assamese, Bengali, Hindi, Malyalam and Odiya.
 * Titles in indic languages are partially cut.
 * Gendered namespaces for Czech.
 * Language::formatSize/formatBitrate should be able to deal with larger numbers (tera-yotta).

Other changes in 1.19

 * BREAKING CHANGE: Legacy global array 'ta' and global function 'akeytt' have been removed from wikibits.js.
 * jquery.mwPrototypes module was renamed to jquery.mwExtension.
 * The maintenance script populateSha1.php was renamed to the more concise populateImageSha1.php.
 * The Client-IP header is no longer checked for when trying to resolve a client's real IP address.
 * Although IE5.x and below was already unsupported officially, stylesheets existing exclusively for IE5.0 and IE5.5 have now been removed (which were in skins 'chick' and 'monobook').
 * The constructor for CategoryView has changed, the second parameter is now a Context source and is required.
 * The Title::escape{Local,Full,Canonical}URL methods are deprecated, please use proper html building methods to escape the normal get{...}URL methods instead.
 * The $variant arguments in the Title::get{Local,Full,Link,Canonical}URL methods have been replaced with a secondary query argument.
 * The $variant argument in the hooks for the Title::get{Local,Full,Link,Canonical}URL methods have been removed, the variant is now part of the $query argument.
 * Removed Title::isValidCssJsSubpage, deprecated since 1.17 in favor of using Title::isCssJsSubpage or checking Title::isWrongCaseCssJsPage.
 * Support for the deprecated hook MagicWordMagicWords was removed.
 * The Xml::namespaceSelector method has been deprecated, please use Html::namespaceSelector instead (note that the parameters have changed also).
 * Preload popular ResourceLoader modules (mediawiki.util) as stop-gap for scripts missing dependencies. New configuration variable $wgPreloadJavaScriptMwUtil has been introduced for this (set to false by default for new installations). Set to true if your wiki has a large amount of user/site scripts that are lacking dependency information. In the short to medium term these user/site scripts should be fixed by adding the used modules to the dependencies in the module registry and/or wrapping them in a callback to mw.loader.using.
 * MediaWiki now requires MySQL 5.0.2 or later when using a MySQL database.

Compatibility
MediaWiki 1.19 requires PHP 5.2.3. PHP 4 is no longer supported.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for IBM DB2 and Oracle.

The supported versions are:


 * MySQL 5.0.2 or later
 * PostgreSQL 8.3 or later
 * SQLite 3.3.7 or later
 * Oracle 9.0.1 or later

Upgrading
1.19 has several database changes since 1.18, and will not work without schema updates.

As of 1.19 several JavaScript interfaces that were deprecated or superseded in MediaWiki 1.17, MediaWiki 1.16 or even earlier have been removed. They are listed at the top of the "Other changes" list as a "BREAKING CHANGE".

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.18.x and older releases, see HISTORY.

Online documentation
Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):

https://www.mediawiki.org/wiki/Documentation

Mailing list
A mailing list is available for MediaWiki user support and discussion:

https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in #mediawiki on irc.freenode.net.