Supplementary security updates were released to the [MediaWiki 1.39.5 security update](https://phabricator.wikimedia.org/T347553) recently. As far as I can see `Wikibase` and `EntitySchema` are the only extensions that we include from this list.
```
With the security/maintenance release of MediaWiki 1.35.12/1.39.5/1.40.1,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:
EntitySchema
+ (T339016, CVE-2023-45368) - EntitySchema edits don't run through
AbuseFilter
https://gerrit.wikimedia.org/r/q/Id71ece831c929fadb1710634de9a7be5f02e0b0e
Wikibase
+ (T333980, CVE-2023-45366) - FederatedPropertiesError shows label as
unescaped HTML
https://gerrit.wikimedia.org/r/q/I76b953be86d6465ee7355c0a189c68cf20457786
```
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2DJ5FTR5UVXLYROAH4ZVYZBYOPLXYQZT/
ACs:
- [ ] Wikibase extension is updated in wikibase.clouds mediawiki repo
- [ ] ... EntitySchema extension is updated
- [ ] a new release including above updates is deployed to staging
- [ ] ... deployed to production