Description
API parameters may now be marked as "sensitive" to keep their values out
of the logs (CVE-2017-0361).
"Mark all pages visited" on the watchlist now requires a CSRF token
(CVE-2017-0362).
Special:UserLogin and Special:Search allow redirect to interwiki links
(CVE-2017-0363, CVE-2017-0364).
XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true (CVE-2017-0365).
SVG filter evasion using default attribute values in DTD declaration
(CVE-2017-0366).
Escape content model/format url parameter in message (CVE-2017-0368).
Sysops can undelete pages, although the page is protected against it
(CVE-2017-0369).
Spam blacklist ineffective on encoded URLs inside file inclusion syntax's
link parameter (CVE-2017-0370).