1 files changed, 18 insertions, 3 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 311ed825..1071830b 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -2,11 +2,11 @@
 
 For upgrade instructions please see the UPGRADE file in this directory.
 
-== MediaWiki 1.13.3 ==
+== MediaWiki 1.13.4 ==
 
-December 15, 2008
+February 7, 2009
 
-This is a security release of the Summer 2008 snapshot release of MediaWiki.
+This is a security update to the Summer 2008 snapshot release of MediaWiki.
 
 MediaWiki is now using a "continuous integration" development model with
 quarterly snapshot releases. The latest development code is always kept
@@ -19,6 +19,21 @@ will be made on the development trunk and appear in the next quarterly release.
 Those wishing to use the latest code instead of a branch release can obtain
 it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 
+== Changes since 1.13.3 ==
+
+A number of cross-site scripting (XSS) security vulnerabilities were discovered 
+in the web-based installer (config/index.php). These vulnerabilities all 
+require a live installer -- once the installer has been used to install a wiki, 
+it is deactivated.
+
+Note that cross-site scripting vulnerabilities can be used to attack any website
+in the same cookie domain. So if you have an uninstalled copy of MediaWiki on
+the same site as an active web service, MediaWiki could be used to attack the
+active service.
+
+If you are hosting an old copy of MediaWiki that you have never installed, you 
+are advised to remove it from the web.
+
 == Changes since 1.13.2 ==
 
 David Remahl of Apple's Product Security team has identified a number of