Prep 1.36.31.36.3

Change-Id: Ie74f47963f2b31b9216874e37bf2a3813e09fd6d

2 files changed, 10 insertions, 3 deletions

diff --git a/RELEASE-NOTES-1.36 b/RELEASE-NOTES-1.36
index ed0710e514cb..f7b295b434fb 100644
--- a/RELEASE-NOTES-1.36
+++ b/RELEASE-NOTES-1.36
@@ -2,7 +2,7 @@
 
 == MediaWiki 1.36.3 ==
 
-THIS IS NOT A RELEASE YET
+This is a security and maintenance release of the MediaWiki 1.36 branch.
 
 === Changes since MediaWiki 1.36.2 ===
 * (T280363) mediawiki.page.ready: Introduce wikipage.indicators hook.
@@ -18,7 +18,8 @@ THIS IS NOT A RELEASE YET
 * HistoryBlobStub: add getLocation() to get $mOldId.
 * Fix checkStorage.php.
 * checkStorage: pass no parameters to WikiRevision::getContent().
-* (T292763) Do not cache private wiki completion results.
+* (T292763, CVE-2021-44854) SECURITY: Do not cache private wiki completion
+  results.
 * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode".
 * (T294796) JobQueueRedis: Replace deprecated zSize with zCard.
 * (T278037) NoLocalSettings: Pass an EmptyBagOStuff to TemplateParser.
@@ -35,6 +36,12 @@ THIS IS NOT A RELEASE YET
 * (T286779, T297031) installer: Fix Postgres mistakes in using changeField
   method.
 * (T225888) RollbackAction: fix missing pagetitle.
+* (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in
+  undo actions.
+* (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback.
+* (T34716, T297416) SECURITY: Require 'read' right for most actions.
+* (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook
+  when changing content model.
 
 == MediaWiki 1.36.2 ==
 
diff --git a/includes/Defines.php b/includes/Defines.php
index d272701ee3c0..7a4cefbf3ecc 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase;
  *
  * @since 1.35
  */
-define( 'MW_VERSION', '1.36.2' );
+define( 'MW_VERSION', '1.36.3' );
 
 /** @{
  * Obsolete IDatabase::makeList() constants