We need to write the email!
```
I would like to announce the release of MediaWiki 1.28.1, 1.27.2 and 1.23.16!
These releases fix five security issues in core and one for the extension
SyntaxHighlight_GeSHi. Download links are given at the end of this email.
== Security fixes ==
* (T109140) (T122209) Special:UserLogin and Special:Search allow redirect
to interwiki links. (CVE-2017-)
* (T144845) XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true. (CVE-2017-)
* (T125177) API parameters may now be marked as "sensitive" to keep
their values out of the logs. (CVE-2017-)
* (T150044) "Mark all pages visited" on the watchlist now requires a CSRF
token. (CVE-2017-)
* (T156184) Escape content model/format url parameter in message.
(CVE-2017-)
* (T151735) SVG filter evasion using default attribute values in DTD
declaration. (CVE-2017-)
* (T48143) Spam blacklist ineffective on encoded URLs inside file inclusion
syntax's link parameter. (CVE-2017-)
* (T108138) Sysops can undelete pages, although the page is protected against
it. (CVE-2017-)
The following only affects 1.27 and above and is not included in the 1.23 upgrade:
* (T161453) LocalisationCache will no longer use the temporary directory
in it's fallback chain when trying to work out where to write the cache.
(CVE-2017-)
The following fix is for the PdfHandler extension:
* (T158689) Parameters injection in SyntaxHighlight results in multiple vulnerabilities.
(CVE-2017-)
== Links to all mentioned tasks ==
https://phabricator.wikimedia.org/T109140
https://phabricator.wikimedia.org/T122209
https://phabricator.wikimedia.org/T144845
https://phabricator.wikimedia.org/T125177
https://phabricator.wikimedia.org/T150044
https://phabricator.wikimedia.org/T156184
https://phabricator.wikimedia.org/T151735
https://phabricator.wikimedia.org/T161453
https://phabricator.wikimedia.org/T48143
https://phabricator.wikimedia.org/T108138
https://phabricator.wikimedia.org/T158689
== Release notes ==
Full release notes for 1.28.1:
<https://www.mediawiki.org/wiki/Release_notes/1.28>
Full release notes for 1.27.2:
<https://www.mediawiki.org/wiki/Release_notes/1.27>
Full release notes for 1.23.16:
<https://www.mediawiki.org/wiki/Release_notes/1.23>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
```