Updated release notes and version number to MediaWiki 1.22.151.22.15

This is MediaWiki 1.22.15 security and maintenance release.

Change-Id: I78610330a795b28548192c90c1bf5d46de775963

2 files changed, 15 insertions, 1 deletions

diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 20c19471370a..9d10f22215a7 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -3,6 +3,20 @@
 Security reminder: MediaWiki does not require PHP's register_globals. If you
 have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.22.15 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.14 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+  could lead to xss. Permission to edit MediaWiki namespace is required to
+  exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+  part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+
 == MediaWiki 1.22.14 ==
 
 This is a security and maintenance release of the MediaWiki 1.22 branch.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 6feac36b986a..7856810769c3 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
  * MediaWiki version number
  * @since 1.2
  */
-$wgVersion = '1.22.14';
+$wgVersion = '1.22.15';
 
 /**
  * Name of the site. It must be changed in LocalSettings.php