Updated release notes and version number to MediaWiki 1.23.81.23.8

This is MediaWiki 1.23.8 security and maintenance release.

Change-Id: I9ce82c6d4351535444b63333fbbda576fdfac5db

2 files changed, 15 insertions, 1 deletions

diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 190fc9562efb..7e4388eccba7 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -1,6 +1,20 @@
 Security reminder: MediaWiki does not require PHP's register_globals. If you
 have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.23.8 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+== Changes since 1.23.7 ==
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+  could lead to xss. Permission to edit MediaWiki namespace is required to
+  exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+  part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+
 == MediaWiki 1.23.7 ==
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 7e1cb435a0b1..65f75a6f6841 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -73,7 +73,7 @@ $wgConfigRegistry = array(
  * MediaWiki version number
  * @since 1.2
  */
-$wgVersion = '1.23.7';
+$wgVersion = '1.23.8';
 
 /**
  * Name of the site. It must be changed in LocalSettings.php