Prep 1.38.71.38.7

Change-Id: I9938fb6d8023c5be07e8d11c8ad94c0ac4797101
author: Reedy <reedy@wikimedia.org> 2023-06-29 22:12:36 +0100
committer: Reedy <reedy@wikimedia.org> 2023-06-30 16:26:09 +0100
commit: 059c8e1b9a315c36ae827f929ea9a077acbba2eb (patch)
tree: 292df6ded40d795cdf735fe8df7c24f72ff396a9
parent: 71a37c61148f6492c7a32f3401c9cab8df1ee4b8 (diff)
2 files changed, 6 insertions, 2 deletions
diff --git a/RELEASE-NOTES-1.38 b/RELEASE-NOTES-1.38
index bdfc5a3c061f..6a28a827c937 100644
--- a/RELEASE-NOTES-1.38
+++ b/RELEASE-NOTES-1.38
@@ -6,14 +6,18 @@ PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/
 
 == MediaWiki 1.38.7 ==
 
-THIS IS NOT A RELEASE YET
+This is a security and maintenance release of the MediaWiki 1.38 branch.
 
 === Changes since MediaWiki 1.38.6 ===
 * Localisation updates.
 * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1.
+* (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7
+  (2.4.0 => 2.4.5).
 * (T322944) Add Authorization to default $wgAllowedCorsHeaders.
 * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter.
 * (T330464) Work around argument corruption bug in XMLReader::open.
+* (T313157) IndexPager: Also protect against $offset being 0.
+* (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.
 
 == MediaWiki 1.38.6 ==
 
diff --git a/includes/Defines.php b/includes/Defines.php
index f03a0ae84b70..9e282bd5d217 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase;
  *
  * @since 1.35 (also backported to 1.33.3 and 1.34.1)
  */
-define( 'MW_VERSION', '1.38.6' );
+define( 'MW_VERSION', '1.38.7' );
 
 /** @{
  * Obsolete IDatabase::makeList() constants
author	Reedy <reedy@wikimedia.org>	2023-06-29 22:12:36 +0100
committer	Reedy <reedy@wikimedia.org>	2023-06-30 16:26:09 +0100
commit	059c8e1b9a315c36ae827f929ea9a077acbba2eb (patch)
tree	292df6ded40d795cdf735fe8df7c24f72ff396a9
parent	71a37c61148f6492c7a32f3401c9cab8df1ee4b8 (diff)