Prep 1.35.21.35.2

Change-Id: Ifee7d9dc8f7d2a10be35bb3bd0eec2956a06ceb7

2 files changed, 25 insertions, 6 deletions

diff --git a/RELEASE-NOTES-1.35 b/RELEASE-NOTES-1.35
index 5b7c0b41bf23..18a64d720b9c 100644
--- a/RELEASE-NOTES-1.35
+++ b/RELEASE-NOTES-1.35
@@ -11,7 +11,14 @@ PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/
 
 == MediaWiki 1.35.2 ==
 
-THIS IS NOT A RELEASE YET
+This is a security and maintenance release of the MediaWiki 1.35 branch.
+
+MediaWiki 1.35.2 supports Composer 2.0. It is reccommended to make sure your
+libraries are up to date on Composer 1.x, before running Composer 2.x.
+
+While normally running update.php isn't required for point releases,
+it is recommended to run it for 1.35.2 so that iwlinks.iwl_prefix is
+updated to take 32 characters.
 
 === Changes since MediaWiki 1.35.1 ===
 * (T270450) The confusingly-named User->isLoggedIn() method has been deprecated
@@ -62,7 +69,8 @@ THIS IS NOT A RELEASE YET
 * (T269293) Record all used options in metadata.
 * Allow usage of Composer 2.0 to install MediaWiki's dependencies.
 * (T259872) skins: Call headElement() after getTemplateData() in SkinMustache.
-* (T277009) Allow blocked users to access Special:ResetTokens.
+* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access
+  Special:ResetTokens.
 * (T272412) Add "Account data" section to user preferences.
 * (T268310) Add list of thumbnail urls to LocalFilePurgeThumbnails hook.
 * (T277520) registration: Allow specifying immovable namespaces in
@@ -71,8 +79,10 @@ THIS IS NOT A RELEASE YET
   documented and are not altered by previous calls to these methods.
 * (T254688) Remove page inner join from subquery in SpecialWhatLinksHere.
 * (T122124) signup: added help message for security.
-* (T278014) Escape mediastatistics-header-* messages on Special:NewFiles.
-* (T278058) Escape rcfilters-filter-* messages on ChangesList pages.
+* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages
+  on Special:NewFiles.
+* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on
+  ChangesList pages.
 * (T277414) HTMLFormField: Use non namespaced class name rather than
   static::class.
 * (T268673) maintenance: Don't create SearchUpdate in rebuildtextindex.php
@@ -83,10 +93,19 @@ THIS IS NOT A RELEASE YET
   config-pingback.
 * Fix documentation of user-global in $wgRateLimits.
 * BackupDumper: Add -o as shortcode for --output.
+* (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
+* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they
+  have right to do so via action=protect.
+* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast
+  double move.
+* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user can
+  create pages.
+* (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for
+  inserting mostly arbitrary <meta> tags.
 
 == MediaWiki 1.35.1 ==
 
-This is a maintenance release of the MediaWiki 1.35 branch.
+This is a security and maintenance release of the MediaWiki 1.35 branch.
 
 While normally running update.php isn't required for point releases,
 it is recommended to run it for 1.35.1 so that sites.site_language is
diff --git a/includes/Defines.php b/includes/Defines.php
index a80b4bb70842..894808903d5f 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -37,7 +37,7 @@ use Wikimedia\Rdbms\IDatabase;
  *
  * @since 1.35
  */
-define( 'MW_VERSION', '1.35.1' );
+define( 'MW_VERSION', '1.35.2' );
 
 # Obsolete aliases