diff options
author | Reedy <reedy@wikimedia.org> | 2022-03-28 15:22:11 +0100 |
---|---|---|
committer | Reedy <reedy@wikimedia.org> | 2022-03-31 22:50:56 +0000 |
commit | 364e92c494bf4f60c6ed4a876262d46c570c0770 (patch) | |
tree | 9bee38a1b3197f15e0bc94b54e0b1565a90c52c7 | |
parent | 5d1e4d7fd4a50e48385abcfe042ee9f9a9ffc3cc (diff) |
Prep 1.37.21.37.2
Change-Id: I9016d4fb935c816c8f3bda7078461dd5338ef6a6
-rw-r--r-- | RELEASE-NOTES-1.37 | 12 | ||||
-rw-r--r-- | includes/Defines.php | 2 |
2 files changed, 10 insertions, 4 deletions
diff --git a/RELEASE-NOTES-1.37 b/RELEASE-NOTES-1.37 index 74f44e27205c..61afed73ab33 100644 --- a/RELEASE-NOTES-1.37 +++ b/RELEASE-NOTES-1.37 @@ -2,7 +2,7 @@ == MediaWiki 1.37.2 == -THIS IS NOT A RELEASE YET +This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.1 === * (T298261) Fix support for Composer 2.2. @@ -10,8 +10,8 @@ THIS IS NOT A RELEASE YET * Update doctrine/dbal (3.0.0 => 3.1.5). * (T296898) Add entry point name to disabled Session exception if possible. * (T298564) MemcachedClient: Add support for IPv6. -* (T297543) SECURITY: properly escape output used within galleries and - Special:RevisionDelete. +* (T297543, CVE-2022-28202) SECURITY: properly escape output used within + galleries and Special:RevisionDelete. * (T289956) WatchAction: Fix bug that prevents showing proper success message in the noscript fallback mode. * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader(). @@ -45,6 +45,12 @@ THIS IS NOT A RELEASE YET * (T303871) Fix @since of Title::getId(). * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value. * wrapOldPasswords: add \n to two output calls. +* (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion + loop if it points to a local interwiki. +* (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file + uploads with actor as a condition can result in a DoS. +* (T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a + page is used on a extremely large number of other pages. == MediaWiki 1.37.1 == diff --git a/includes/Defines.php b/includes/Defines.php index dad36360714e..13e3615c87d0 100644 --- a/includes/Defines.php +++ b/includes/Defines.php @@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase; * * @since 1.35 (also backported to 1.33.3 and 1.34.1) */ -define( 'MW_VERSION', '1.37.1' ); +define( 'MW_VERSION', '1.37.2' ); /** @{ * Obsolete IDatabase::makeList() constants |