Check read permission when loading page content in ApiParse (CVE-2016-6331)
Make blocks log users out if $wgBlockDisablesLogin is true (CVE-2016-6332)
Make $wgBlockDisablesLogin also restrict logged in permissions (CVE-2016-6332)
Require login to preview user CSS pages (CVE-2016-6333)
Escape '<' and ']]>' in inline <style> blocks (CVE-2016-6333)
XSS in unclosed internal links (CVE-2016-6334)
API: Generate head items in the context of the given title (CVE-2016-6335)
Do not allow undeleting a revision deleted file if it is the top file (CVE-2016-6336)
The mediawiki package has been updated to version 1.23.15, which contains the above fixes.