MediaWiki 1.16.4 is a second security release this week. Shortly after previous release (1.16.3), Masato Kinugawa discovered that one of the XSS problems that the 1.16.3 release was designed to address hadn’t been fully addressed, and reported bug 28507. As a consequence, Internet Explorer 6 users visiting a site running 1.16.3 will still be vulnerable to an XSS attack. After more thorough testing (thanks Roan Kattouw!), we’re releasing 1.16.4.
Full details are in Tim Starling’s 1.16.4 release announcement. Sorry for the inconvenience of a second release, and thank you everyone involved in getting this fixed!