+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.