Prep 1.36.41.36.4

Change-Id: I5512d7da30045d11ad38a3801231aaff53b7564e

2 files changed, 8 insertions, 4 deletions

diff --git a/RELEASE-NOTES-1.36 b/RELEASE-NOTES-1.36
index 2b31d53d393e..f0a724445ad2 100644
--- a/RELEASE-NOTES-1.36
+++ b/RELEASE-NOTES-1.36
@@ -2,7 +2,7 @@
 
 == MediaWiki 1.36.4 ==
 
-THIS IS NOT A RELEASE YET
+This is a security and maintenance release of the MediaWiki 1.36 branch.
 
 === Changes since MediaWiki 1.36.3 ===
 * (T298261) Fix support for Composer 2.2.
@@ -10,8 +10,8 @@ THIS IS NOT A RELEASE YET
 * Update doctrine/dbal (3.0.0 => 3.1.5).
 * (T296898) Add entry point name to disabled Session exception if possible.
 * (T298564) MemcachedClient: Add support for IPv6.
-* (T297543) SECURITY: properly escape output used within galleries and
-  Special:RevisionDelete.
+* (T297543, CVE-2022-28202) SECURITY: properly escape output used within
+  galleries and Special:RevisionDelete.
 * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader().
 * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest.
 * Fix the json schema and the extension processor for Parsoid extension modules.
@@ -36,6 +36,10 @@ THIS IS NOT A RELEASE YET
 * (T303871) Fix @since of Title::getId().
 * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value.
 * wrapOldPasswords: add \n to two output calls.
+* (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion
+  loop if it points to a local interwiki.
+* (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file
+  uploads with actor as a condition can result in a DoS.
 
 == MediaWiki 1.36.3 ==
 
diff --git a/includes/Defines.php b/includes/Defines.php
index 7a4cefbf3ecc..69e0de9f2df0 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase;
  *
  * @since 1.35
  */
-define( 'MW_VERSION', '1.36.3' );
+define( 'MW_VERSION', '1.36.4' );
 
 /** @{
  * Obsolete IDatabase::makeList() constants