From f8e3a1e258ab6beabb18dca2af983ef1647970c9 Mon Sep 17 00:00:00 2001 From: Reedy Date: Wed, 15 Dec 2021 16:09:57 +0000 Subject: Prep 1.37.1 Change-Id: I46c139042ccd711e32ca3aec71edb92dd349869c --- RELEASE-NOTES-1.37 | 11 +++++++++-- includes/Defines.php | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/RELEASE-NOTES-1.37 b/RELEASE-NOTES-1.37 index 9e05fdd51318..884e92a27549 100644 --- a/RELEASE-NOTES-1.37 +++ b/RELEASE-NOTES-1.37 @@ -2,7 +2,7 @@ == MediaWiki 1.37.1 == -THIS IS NOT A RELEASE YET +This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.0 === * (T296112) Allow inserting new sections named '0'. @@ -11,6 +11,12 @@ THIS IS NOT A RELEASE YET * (T286779, T297031) installer: Fix Postgres mistakes in using changeField method. * (T225888) RollbackAction: fix missing pagetitle. +* (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in + undo actions. +* (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback. +* (T34716, T297416) SECURITY: Require 'read' right for most actions. +* (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook + when changing content model. == MediaWiki 1.37.0 == @@ -36,7 +42,8 @@ THIS IS NOT A RELEASE YET === Changes since MediaWiki 1.37.0-rc.0 === * (T294043) checkStorage: pass no parameters to WikiRevision::getContent(). -* (T292763) Do not cache private wiki completion results. +* (T292763, CVE-2021-44856) SECURITY: Do not cache private wiki completion + results. * (T293783) ApiQueryImageInfo: don't show empty comments as deleted. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. diff --git a/includes/Defines.php b/includes/Defines.php index 50b7d4a9aef1..dad36360714e 100644 --- a/includes/Defines.php +++ b/includes/Defines.php @@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase; * * @since 1.35 (also backported to 1.33.3 and 1.34.1) */ -define( 'MW_VERSION', '1.37.0' ); +define( 'MW_VERSION', '1.37.1' ); /** @{ * Obsolete IDatabase::makeList() constants -- cgit v1.2.3