API parameters may now be marked as "sensitive" to keep their values out of the logs (CVE-2017-0361).
"Mark all pages visited" on the watchlist now requires a CSRF token (CVE-2017-0362).
Special:UserLogin and Special:Search allow redirect to interwiki links (CVE-2017-0363, CVE-2017-0364).
XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true (CVE-2017-0365).
SVG filter evasion using default attribute values in DTD declaration (CVE-2017-0366).
Escape content model/format url parameter in message (CVE-2017-0368).
Sysops can undelete pages, although the page is protected against it (CVE-2017-0369).
Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter (CVE-2017-0370).