* (T109140) (T122209) Special:UserLogin and Special:Search allow redirect
to interwiki links. (CVE-2017-0363, CVE-2017-0364)
* (T144845) XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true. (CVE-2017-0365)
* (T125177) API parameters may now be marked as “sensitive” to keep
their values out of the logs. (CVE-2017-0361)
* (T150044) “Mark all pages visited” on the watchlist now requires a CSRF
token. (CVE-2017-0362)
* (T156184) Escape content model/format url parameter in message.
(CVE-2017-0368)
* (T151735) SVG filter evasion using default attribute values in DTD
declaration. (CVE-2017-0366)
* (T48143) Spam blacklist ineffective on encoded URLs inside file inclusion
syntax’s link parameter. (CVE-2017-0370)
* (T108138) Sysops can undelete pages, although the page is protected
against
it. (CVE-2017-0369)

The following only affects 1.27 and above and is not included in the 1.23
upgrade:

* (T161453) LocalisationCache will no longer use the temporary directory
in its fallback chain when trying to work out where to write the cache.
(CVE-2017-0367)

The following fix is for the SyntaxHighlight extension:

* (T158689) Parameters injection in SyntaxHighlight results in multiple
vulnerabilities.
(CVE-2017-0372)