https://www.mediawiki.org/wiki/Release_notes/1.28#MediaWiki_1.28.1

Changes since 1.28.0

* $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
* Fix fatal from “WaitConditionLoop” not being found, experienced when a wiki has more than one database server setup.
* (T152717) Better escaping for PHP mail() command
* (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount()
* (T145635) Fix too long index error when installing with MSSQL
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as “sensitive” to keep their values out of the logs.
* (T150044) SECURITY: “Mark all pages visited” on the watchlist now requires a CSRF token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it’s fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax’s link parameter.