1.24.5: Prep release notes and bump version number1.24.5

Change-Id: I9fd74dc86f54d33f20e39d4b9f6c9f667c44b9ba

2 files changed, 17 insertions, 3 deletions

diff --git a/RELEASE-NOTES-1.24 b/RELEASE-NOTES-1.24
index f8713d0220fd..3dc97612abe3 100644
--- a/RELEASE-NOTES-1.24
+++ b/RELEASE-NOTES-1.24
@@ -3,10 +3,24 @@ turn it off. MediaWiki will no longer work with it enabled.
 
 == MediaWiki 1.24.5 ==
 
-THIS IS NOT YET A RELEASE!
+This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 == Changes since 1.24.4 ==
-
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
 * (T103237) $wgUseGzip had no effect when using file cache.
 
 == MediaWiki 1.24.4 ==
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index e58c051d5eb5..0b049a38a76d 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -75,7 +75,7 @@ $wgConfigRegistry = array(
  * Using single quotes is, therefore, important here.
  * @since 1.2
  */
-$wgVersion = '1.24.4';
+$wgVersion = '1.24.5';
 
 /**
  * Name of the site. It must be changed in LocalSettings.php