Comment 15 for bug 1955352

I tried to match the sponsored patch with the upstream commits, and it's very confusing. I'm not sure I would have sponsored that as-is, at least not without further explanations.

The upstream security announcement[1] lists 5 CVEs, with 5 associated upstream bugs, but the patch in the sponsored package only mentions CVE-44854. Furthermore, the patch mentions that CVE together with upstream bug T297322[2], but the same CVE is also associated with another upstream bug T292763[3], which seems to have a different patch. I.e., are there fixes missing? What about these?

* https://phabricator.wikimedia.org/T294686
* https://phabricator.wikimedia.org/T293589
* https://phabricator.wikimedia.org/T271037

1. https://www.mediawiki.org/wiki/2021-12_security_release/FAQ
2. https://phabricator.wikimedia.org/T297322
3. https://phabricator.wikimedia.org/T292763