Updated release notes and version number for MediaWiki 1.23.91.23.9

Change-Id: Iceda1e73060a5c05ca11a9cdab065e5b28ae53a7

2 files changed, 11 insertions, 2 deletions

diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 1178c5b48b52..2eaa0a5489b6 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -3,10 +3,19 @@ have it on, turn it '''off''' if you can.
 
 == MediaWiki 1.23.9 ==
 
-This is a (security and?) maintenance release of the MediaWiki 1.23 branch.
+This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 == Changes since 1.23.8 ==
 
+* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
+  to prevent various DoS attacks.
+* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
+  likelihood of DoS.
+* (T88310) SECURITY: Always expand xml entities when checking SVG's.
+* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
+* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
+* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
+  prevent XSS and protect viewer's privacy.
 * (bug T70087) Fix Special:ActiveUsers page for installations using 
   PostgreSQL.
 
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 65f75a6f6841..62ea811181b4 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -73,7 +73,7 @@ $wgConfigRegistry = array(
  * MediaWiki version number
  * @since 1.2
  */
-$wgVersion = '1.23.8';
+$wgVersion = '1.23.9';
 
 /**
  * Name of the site. It must be changed in LocalSettings.php