Critical Vulnerability Information Vulnerability Type: - XSS (Cross-Site Scripting) for Internet Explorer 6 channels. Affected Versions: - MediaWiki 1.16.3. Issue Description: - The previously fixed Internet Explorer 6 XSS issue (bug 28235) was not adequately resolved in the MediaWiki 1.16.3 patch. The vulnerability remains present. - The fix requires handling URLs containing multiple question marks. In some cases, Internet Explorer 6 may interpret the file extension before the question mark in the URL as HTML, leading to security risks. Mitigation Measures: - Release of MediaWiki 1.16.4 to attempt re-fixing the vulnerability. - If you previously applied the Apache configuration recommended in the security advisory, you must update it as follows: Updated Apache Configuration: Download Links: - MediaWiki 1.16.4: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz - Patch File: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz GPG Verification: - Verify authenticity of the fix files: Public key: https://secure.wikimedia.org/keys.html - GPG Signatures: - http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz.sig - http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz.sig