Prep 1.38.31.38.3

Change-Id: I6e0cd7a9949d8de23fbddd9ba56746f740a70cbf

2 files changed, 9 insertions, 3 deletions

diff --git a/RELEASE-NOTES-1.38 b/RELEASE-NOTES-1.38
index 1336707107f4..1729b3cf4b46 100644
--- a/RELEASE-NOTES-1.38
+++ b/RELEASE-NOTES-1.38
@@ -2,7 +2,7 @@
 
 == MediaWiki 1.38.3 ==
 
-THIS IS NOT A RELEASE YET
+This is a security and maintenance release of the MediaWiki 1.38 branch.
 
 === Changes since MediaWiki 1.38.2 ===
 * Localisation updates.
@@ -47,7 +47,7 @@ THIS IS NOT A RELEASE YET
 * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests.
 * (T313663) parser: Mock WikiPage::getContentModel in ParserCacheTest to fix
   php8.1.
-* (T313663) [php8.1] Make WikiImporterFactoryTest use better mock for 
+* (T313663) [php8.1] Make WikiImporterFactoryTest use better mock for
   ImportSource.
 * Fix tests so getName() doesn't return null.
 * (T313663) [php8] Don't use strlen on potentially null string.
@@ -108,6 +108,12 @@ THIS IS NOT A RELEASE YET
 * (T318754) WebInstallerOptions::addPersonalizationOptions(): Close fieldset.
 * (T318460) SpecialChangeEmail: Set default for returntoquery.
 * (T318307) Update docs for HTMLFormField::validate() to permit all data types.
+* (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results
+  in an IP range check on Special:Contributions.
+* (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence
+  of hidden users.
+* (T307278, CVE-2022-41766) SECURITY: On action=rollback the message
+  "alreadyrolled" can leak revision deleted user name.
 
 == MediaWiki 1.38.2 ==
 
diff --git a/includes/Defines.php b/includes/Defines.php
index fc6c440ff2fe..9d950fb8d531 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase;
  *
  * @since 1.35 (also backported to 1.33.3 and 1.34.1)
  */
-define( 'MW_VERSION', '1.38.2' );
+define( 'MW_VERSION', '1.38.3' );
 
 /** @{
  * Obsolete IDatabase::makeList() constants