Prep 1.37.11.37.1

Change-Id: I46c139042ccd711e32ca3aec71edb92dd349869c

2 files changed, 10 insertions, 3 deletions

diff --git a/RELEASE-NOTES-1.37 b/RELEASE-NOTES-1.37
index 9e05fdd51318..884e92a27549 100644
--- a/RELEASE-NOTES-1.37
+++ b/RELEASE-NOTES-1.37
@@ -2,7 +2,7 @@
 
 == MediaWiki 1.37.1 ==
 
-THIS IS NOT A RELEASE YET
+This is a security and maintenance release of the MediaWiki 1.37 branch.
 
 === Changes since MediaWiki 1.37.0 ===
 * (T296112) Allow inserting new sections named '0'.
@@ -11,6 +11,12 @@ THIS IS NOT A RELEASE YET
 * (T286779, T297031) installer: Fix Postgres mistakes in using changeField
   method.
 * (T225888) RollbackAction: fix missing pagetitle.
+* (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in
+  undo actions.
+* (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback.
+* (T34716, T297416) SECURITY: Require 'read' right for most actions.
+* (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook
+  when changing content model.
 
 == MediaWiki 1.37.0 ==
 
@@ -36,7 +42,8 @@ THIS IS NOT A RELEASE YET
 
 === Changes since MediaWiki 1.37.0-rc.0 ===
 * (T294043) checkStorage: pass no parameters to WikiRevision::getContent().
-* (T292763) Do not cache private wiki completion results.
+* (T292763, CVE-2021-44856) SECURITY: Do not cache private wiki completion
+  results.
 * (T293783) ApiQueryImageInfo: don't show empty comments as deleted.
 * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode".
 * (T294796) JobQueueRedis: Replace deprecated zSize with zCard.
diff --git a/includes/Defines.php b/includes/Defines.php
index 50b7d4a9aef1..dad36360714e 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase;
  *
  * @since 1.35 (also backported to 1.33.3 and 1.34.1)
  */
-define( 'MW_VERSION', '1.37.0' );
+define( 'MW_VERSION', '1.37.1' );
 
 /** @{
  * Obsolete IDatabase::makeList() constants