- 1 MediaWiki 1.31.1
- 2 Changes since MediaWiki 1.31.0-rc.2
- 3 Changes since MediaWiki 1.31.0-rc.0
- 4 Important pre-upgrade notes for 1.31
- 5 Configuration changes in 1.31
- 6 New features in 1.31
- 7 External library changes in 1.31
- 8 Bug fixes in 1.31
- 9 Action API changes in 1.31
- 10 Action API internal changes in 1.31
- 11 Languages updated in 1.31
- 12 Breaking changes in 1.31
- 13 Deprecations in 1.31
- 14 Other changes in 1.31
- 15 Compatibility
- 16 Upgrading
- 17 Online documentation
- 18 Mailing list
- 19 IRC help
This is a security and maintenance release of the MediaWiki 1.31 branch.
Changes since MediaWiki 1.31.0
- (task T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides 'newbie'.
- (task T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock.
- (task T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
- (task T197229) Bundle Nuke extension, it was accidentally omitted.
- (task T193995) Fix undefined patchPath() method call in parser tests.
- (task T198687) Fix various selectFields methods to use the string 'NULL', not null.
- Special:BotPasswords now requires reauthentication.
- (task T191608, (task T187638) Add 'logid' parameter to Special:Log.
- (task T193829) Indicate when a Bot Password needs reset.
- (task T198037) GitInfo: Don't try shelling out if it's disabled.
- (task T151415) Log email changes.
- (task T197206) Fix performance regression when multiple DB used without caching.
- (task T197030) PHPSessionHandler: Suppress headers warnings in initialize().
- (task T182377, task T196793) Exif: Guard against uncountable tag values.
- (task T200861) Fix total breakage of SQLite web upgrade.
- (task T200864) Fix pingback over-reporting on non-MySQL databases
- (task T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader hooks.
Changes since MediaWiki 1.31.0-rc.2
- (task T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
- (task T196092) Hide MySQL binary/utf-8 charset option in the installer.
- (task T196185) Don't allow setting $wgDBmysql5 in the installer.
- (task T196125) php-memcached 3.0 (provided with PHP 7.0}}) is now supported.
- (task T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
- (task T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
- (task T196672) The mtime of extension.json files is now able to be zero
- (task T180403) Validate $length in padleft/padright parser functions.
- (task T143790) Make $wgEmailConfirmToEdit only affect edit actions.
Changes since MediaWiki 1.31.0-rc.0
- (task T33223) Drop archive.ar_text and ar_flags.
- Add default edit rate limit of 90 edits/minute for all users.
- (task T187645) Use codepoint as tiebreaker when getting first-letters in IcuCollation.
- (task T191947) Don't shell during the installer if shelling out is disabled.
- (task T194319) Improve duplicate config setting exception as part of extension registration.
- (task T195211) Don't require trailing slash in PSR-4 autoloader directory.
- (task T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
- Do not incorrectly hide namespace input field in the installer.
- (task T186456) Refactor checks looking for PEAR mail libraries to be clearer.
Important pre-upgrade notes for 1.31
- If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply schema changes, and cannot have downtime to run migrateArchiveText.php and apply patch-drop-ar_text.sql manually, you'll have to apply a default value to the ar_text and ar_flags columns of the archive table or make those columns nullable before upgrading to MediaWiki 1.31. maintenance/archives/patch-nullable-ar_text.sql shows how to do this for MySQL.
Configuration changes in 1.31
- $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in a future version. The API is now considered to be stable, secure and essential.
- $wgUsejQueryThree was removed, as it is now the default. This was documented as a temporary variable during the migration period, deprecated since 1.29.
- $wgLogoHD has been updated to support svg images and uses $wgLogo where possible for fallback images such as png.
- (task T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not have the right to mark things patrolled.
- Wikis that contain imported revisions or CentralAuth global blocks should run maintenance/cleanupUsersWithNoId.php.
- The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and $wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
- (task T180921) $wgReferrerPolicy now supports having fallbacks for browsers that are not using the latest version of the Referrer Policy specification.
- $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a first step of migration to human-readable section IDs that will later result in 'html5' being the default mode.
- CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed as upstream is inactive and has no plans to move to PHP 7.
- The old CategorizedRecentChanges feature, including its related configuration option $wgAllowCategorizedRecentChanges, has been removed.
- (task T188472) The 'comma' value for $wgArticleCountMethod is no longer supported for performance reasons, and installations with this setting will now work as if it was configured with 'any'.
- (task T185753) MediaWiki now defaults to using RemexHtml to tidy up user input, rather than being off by default. If you wish to disable HTML tidying entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
- $wgLogAutopatrol now defaults to false instead of true.
- $wgValidateAllHtml was removed and will be ignored.
- $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the 1.25 release notes for more information.
- $wgUseAjax is now marked as deprecated, just like the deprecated AJAX framework that it enables. Some extensions mistakenly used this to check whether any AJAX functionality at all should be enabled, further making this problematic to retain.
- $wgDBmysql5 is now deprecated, and will be removed in a future version. It has been marked as experimental ever since it was introduced.
New features in 1.31
- (task T76554) User sub-pages named ….json are now protected in the same way that ….js and ….css pages are, so that configuration options can safely be placed there.
- Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins with parentheses for grouping.
- As a first pass in standardizing dialog boxes across the MediaWiki product, Html class now provides helper methods for messageBox, successBox, errorBox and warningBox generation.
- (task T9240) Imports will now record unknown (and, optionally, known) usernames in a format like "iw>Example".
- (task T20209) Linker (used on history pages, log pages, and so on) will display usernames formed like "iw>Example" as interwiki links, as if by wikitext like iw>Example.
- (task T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create users during an import.
- Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect the ParserOutput::getText() post-cache transformations.
- Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the initial page text for file uploads.
- (task T181651) The info page for File pages now displays the file's base-16 SHA1 hash value in the table of basic information.
- Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a ParserOutput::getText() post-cache transformation. This may be disabled by passing 'deduplicateStyles' => false to that method.
- The identity of the logged-in or IP "actor" for logged actions is being moved into a new actor table, with the rows in tables such as revision and logging referring to the actor ID instead of storing the user ID and name/IP in every row.
- This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis can set this to MIGRATION_NEW and run maintenance/migrateActors.php as soon as any necessary extensions are updated.
- Most code accessing rows for logged actions from the database should use the relevant getQueryInfo() methods to get the information needed to build the SQL query. The ActorMigration class may also be used to get feature -flagged information needed to access actor-related fields during the migration period.
- Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic section without having to roll back the whole transaction.
- Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(), and non-MySQL ::replace() and ::upsert() no longer roll back the whole transaction on failure.
- (task T189785) Added a monthly heartbeat ping to the pingback feature.
- The CLI installer (maintenance/install.php) learned to detect and include extensions. Pass --with-extensions to enable that feature.
- (task T184791) rc_patrolled now has three states: "0" for unpatrolled, "1" for manually patrolled and "2" for autopatrolled actions.
- Extensions can now set their type to "editor" if they provide an editor or enhance the editing experience.
- Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces" property in extension.json. See the documentation at <https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces> for more details and an example.
- (task T19099) Tabs which link to pages that don't exist (like those to uncreated discussion pages) now have a tooltip to indicate state, not just colour.
External library changes in 1.31
- pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from suggested to required. These packages now must be installed via composer and not via PEAR itself.
Upgraded external libraries
- Updated jquery.chosen from v0.9.14 to v1.8.2.
- Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
- Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
- Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
- Updated wikimedia/relpath from 2.0.0 to 2.1.1.
- Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
- Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
- Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
- Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
- Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
- Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.
New external libraries
- Added wikimedia/object-factory 1.0.0
Removed and replaced external libraries
- (task T17845) The deprecated 'jquery.badge' module was removed.
- The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS text-overflow property instead.
- The deprecated 'jquery.placeholder' module was removed.
- The deprecated 'jquery.appear' module was removed. Use the 'mediawiki.viewport' module instead.
- mediawiki/at-ease was replaced with wikimedia/at-ease.
Bug fixes in 1.31
- (task T90902) Non-breaking space in header ID breaks anchor.
- (task T189375) CSSMin now allows quoted urls in `url()` syntax to start with a space.
- (task T2087, T10897, T87753, T174639) Whitespace created by category and language links is now stripped rather than leaving blank lines in odd places.
- (task T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
- (task T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
Action API changes in 1.31
- (task T185058) The 'name' value to tgprop for action=query&list=tags has been removed. It has never made a difference in the output, the name was always returned regardless.
- The 'watch' and 'unwatch' parameters for action=move have been removed. They were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use 'watchlist' instead.
Action API internal changes in 1.31
- ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
- ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
- ApiBase::getProfileTime, deprecated since 1.25, was removed.
Languages updated in 1.31
MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.
- (task T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
- (task T182305) New language support: Nyungar (nys).
- (task T186359) New language support: Siberian Tatar [cебертатар] (sty).
- (task T186635) New language support: Guianan Creole (gcr).
- (task T186647) New language support: Kumyk [къумукъ] (kum).
- (task T187750) New language support: Spanish formal address (es-formal).
- (task T187824) New language support: Hungarian formal address (hu-formal).
- (task T189127) New language support: Gorontalo (gor).
Breaking changes in 1.31
- MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
- The OutputPage class constructor now requires a context parameter. Instantiating without context was deprecated in 1.18.
- Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
- The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and ::onArticleEdit() methods, deprecated in 1.24, were removed.
- Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were removed. Use ExecutableFinder::findInDefaultPaths() instead.
- The deprecated MW_DIFF_VERSION constant was removed. DifferenceEngine::MW_DIFF_VERSION should be used instead.
- Due to significant refactoring, method ContribsPager::getUserCond() that had no access restriction has been removed.
- The Block class will no longer accept usable-but-missing usernames for 'byText' or ->setBlocker(). Callers should either ensure the blocker exists locally or use a new interwiki-format username like "iw>Example".
- The following methods and constants from the WatchedItem class, which were deprecated in 1.27, have been removed:
- The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced HtmlFormatter\HtmlFormatter class should be used instead.
- The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed. The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
- The following properties of PreparedEdit were deprecated in 1.21 and have been removed:
- ParserOutput objects which are generated using a non-default value for ParserOptions::setWrapOutputClass() can no longer be added to the parser cache.
- The following deprecated methods from the OutputPage class have been removed:
- OutputPage::addExtensionStyle(); deprecated in 1.27
- OutputPage::getExtStyle(); deprecated in 1.27
- OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
- OutputPage::setSquidMaxage(); deprecated in 1.27
- OutputPage::readOnlyPage(); deprecated in 1.25
- OutputPage::rateLimited(); deprecated in 1.25
- Additionally, the protected OutputPage::$mExtStyles array, only accessed through the above and with no known uses, was removed.
- The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
- The following variables and methods in EditPage, deprecated in MediaWiki 1.30, were removed:
- $isCssJsSubpage — use ::isUserConfigPage()
- $isCssSubpage — use ::isUserCssConfigPage()
- $isJsSubpage — use ::isUserJsConfigPage()
- $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
- ::getSummaryInput() – use ::getSummaryInputWidget()
- ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
- ::getCheckboxes() – use ::getCheckboxesWidget() or ::getCheckboxesDefinition()
- ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or ::getCheckboxesDefinition()
- ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
- In User, the cookie-related methods which were wrappers for the functions on the response object, and were deprecated in 1.27, have been removed:
- Note that User::setCookies() remains, and is not deprecated.
- Also in User, some auth-related methods which were deprecated in 1.27 have been removed:
- ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
- ::getPasswordFactory() – create a PasswordFactory directly
- The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have been removed.
- SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can use ::getNames() instead.
- OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You can use ApiOpenSearch::getOpenSearchTemplate() instead.
- The global function wfBaseConvert, deprecated in 1.27, has been removed. Use Wikimedia\base_convert() directly.
- Calling Database::begin() explicitly during an implicit transaction or when DBO_TRX is set results in an exception. Calling Database::commit() explicitly for an implicit transaction also results in an exception. Previously these were logged as errors. The startAtomic() and endAtomic() methods, or AtomicSectionUpdate should be used instead.
- The global function wfOutputHandler() was removed, use the its replacement MediaWiki\OutputHandler::handle() instead. The global function was only sometimes defined. Its replacement is always available via the autoloader.
- ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags, deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and ::listSoftwareDefinedTags() instead.
- Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
- HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
- The ProfileSection class, deprecated in 1.25 and unused, has been removed.
- The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use ResourceLoaderModule::getLessVars() to expose local variables instead of global ones.
- As part of work to modernise user-generated content clean-up, a config option and some methods related to HTML validity were removed without deprecation. The public methods MWTidy::checkErrors() and the path through which it was called, TidyDriverBase::validate(), are removed, as are the testing methods MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument(). The $wgValidateAllHtml configuration option is removed and will be ignored.
- Execution of external programs using MediaWiki\Shell\Command now applies the RESTRICT_DEFAULT Firejail restriction by default.
- The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods, deprecated in 1.26, were removed.
- The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed. Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.
Deprecations in 1.31
- The Revision class was deprecated in favor of RevisionStore, BlobStore, and RevisionRecord and its subclasses.
- The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
- The global function wfCountDown is now deprecated in favor of Maintenance::countDown.
- Several methods for returning lists of fields to select from the database have been deprecated in favor of similar methods that also return the tables to select from and the join conditions for those tables.
- Block::selectFields() → Block::getQueryInfo()
- RecentChange::selectFields() → RecentChange::getQueryInfo()
- ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
- LocalFile::selectFields() → LocalFile::getQueryInfo()
- LocalFile::getCacheFields() with a prefix no longer works
- LocalFile::getLazyCacheFields() with a prefix no longer works
- OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
- RecentChange::selectFields() → RecentChange::getQueryInfo()
- Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
- Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
- Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
- Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
- Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
- Revision::selectFields() → Revision::getQueryInfo()
- Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
- User::selectFields() → User::getQueryInfo()
- WikiPage::selectFields() → WikiPage::getQueryInfo()
- Revision::setUserIdAndName() was deprecated.
- Access to TitleValue class properties was deprecated, the relevant getters should be used instead.
- DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
- Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use Maintenance::fatalError() instead.
- Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
- The RevisionInsertComplete hook is now deprecated; use instead the hook RevisionRecordInserted. RevisionInsertComplete is still called, but the second and third parameter will always be null. Hard deprecation is scheduled for 1.32.
- The following methods that get and set ParserOutput state are deprecated. Callers should use the new stateless $options parameter to ParserOutput::getText() instead.
- The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens are also deprecated.
- License::getLicenses has been deprecated; use License::getLines instead.
- QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set(). Setting template variables by reference allowed violating the principle of data being immutable once added to the skin template. In practice, this method was not being used for that. Rather, setRef() existed as memory optimisation for PHP 4.
- QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in favour of Skin::msg() parameters.
- MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or wfMessage().
- Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the 'unwrap' transform to ParserOutput::getText() instead.
- \ObjectFactory (no namespace) is deprecated, the namespaced class \Wikimedia\ObjectFactory from the wikimedia/object-factory library should be used instead.
- CommentStore::newKey is deprecated. Instead, get an instance from MediaWikiServices.
- The following CommentStore methods have had their signatures changed to introduce a $key parameter, usage of the methods on instances retrieved from CommentStore::newKey will remain unchanged but deprecated:
- The following methods in Title have been renamed, and the old ones are deprecated:
- Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
- Title::isCssOrJsPage – use ::isSiteConfigPage
- Title::isCssJsSubpage – use ::isUserConfigPage
- Title::isCssSubpage – use ::isUserCssConfigPage
- Title::isJsSubpage – use ::isUserJsConfigPage
- The following methods related to caching of half-parsed HTML were deprecated:
- The DeferredStringifier class is deprecated, use Message::listParam() instead.
- The type string for the parameter $lang of DateFormatter::getInstance is deprecated.
- Wikimedia\Rdbms\SavepointPostgres is deprecated.
- The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be used instead.
- The function wfShellWikiCmd() has been deprecated, use MediaWiki\Shell::makeScriptCommand().
- In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' will be allowed to provide any HTMLForm object rather than PreferencesForm.
Other changes in 1.31
- Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
- Browser support for Opera 12 and older was dropped entirely. Opera 15+ continues at Grade A.
- Multi-content-revision capability was introduced into the storage layer. See <https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
- The "free" CSS class is now only applied to unbracketed URLs in wikitext. Links written using square brackets will get the class "text" not "free".
- RFC task T157418: Whitespace is trimmed from wikitext headings, wikitext list items, wikitext table captions, wikitext table headings, wikitext table cells. HTML headings, HTML list items, HTML table captions, HTML table headings, HTML table cells will not have this trimming behavior.
MediaWiki 1.31 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is supported, it is generally advised to use PHP 7.0.0 or later for long term support.
MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for Oracle and Microsoft SQL Server.
The supported versions are:
- MySQL 5.5.8 or later
- PostgreSQL 9.2 or later
- SQLite 3.3.7 or later
- Oracle 9.0.1 or later
- Microsoft SQL Server 2005 (9.00.1399)
1.31 has several database changes since 1.30, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions, including important information when upgrading from versions prior to 1.11.
For notes on 1.30.x and older releases, see HISTORY.
Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):
A mailing list is available for MediaWiki user support and discussion:
A low-traffic announcements-only list is also available:
It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.
There's usually someone online in #mediawiki on irc.freenode.net.