These releases also serve as a maintenance release for these branches.
Note that the patches are much larger than recent previous security and maintenance releases. This is due to the re-introduction of translation backports. These include the export of new languages that have met the translation threshold in the development branch of MediaWiki. These translation updates are for both MediaWiki core and the bundled skins and extensions. In the case of MediaWiki 1.35, this is translation updates going back 18 months, hence the size of the patch.
While tarballs have already been uploaded as of this e-mail, git tags will follow later on today.
An "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.
Finally, a big thanks to all those involved in reporting, investigating and fixing these issues.
== Security fixes == * (T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis. * (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel. * (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages. * (T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions. * (T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action