Prep 1.35.121.35.12

Change-Id: I2a924873c892c88c69d2013743bd7d4dbd435179

2 files changed, 12 insertions, 3 deletions

diff --git a/RELEASE-NOTES-1.35 b/RELEASE-NOTES-1.35
index 2ac03ea74eb1..a2190aa57413 100644
--- a/RELEASE-NOTES-1.35
+++ b/RELEASE-NOTES-1.35
@@ -14,15 +14,24 @@ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/
 
 == MediaWiki 1.35.12 ==
 
-THIS IS NOT A RELEASE YET
+This is a security and maintenance release of the MediaWiki 1.35 branch.
 
 === Changes since MediaWiki 1.35.11 ===
 * Localisation updates.
-* (T333050) Fix infinite loop for self-redirects with variants conversion.
+* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
+  self-redirects with variants conversion.
 * (T341434) WikiImporter: Improve error message output.
 * (T341737) ApiBase: Cast $id to string in filterIDs.
 * (T342632) ApiComparePages: Add help url.
 * (T347227) ImportReporter: Make callback functions public.
+* doc: Improve description of type in extension.schema.v1.json.
+* (T340221, CVE-2023-PENDING) SECURITY: XSS via
+  'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
+* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser
+  ("X intermediate revisions by the same user not shown") ignores username
+  suppression.
+* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML
+  file to Special:Upload (non-standard configuration).
 
 == MediaWiki 1.35.11 ==
 
diff --git a/includes/Defines.php b/includes/Defines.php
index 079c1f3092b2..dd654efba510 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -37,7 +37,7 @@ use Wikimedia\Rdbms\IDatabase;
  *
  * @since 1.35
  */
-define( 'MW_VERSION', '1.35.11' );
+define( 'MW_VERSION', '1.35.12' );
 
 # Obsolete aliases