Security fixes:
T122056: Old tokens are remaining valid within a new session
T127114: Login throttle can be tricked using non-canonicalized
usernames
T123653: Cross-domain policy regexp is too narrow
T123071: Incorrectly identifying http link in a's href
attributes, due to m modifier in regex
T129506: MediaWiki:Gadget-popups.js isn't renderable
T125283: Users occasionally logged in as different users after
SessionManager deployment
T103239: Patrol allows click catching and patrolling of any
page
T122807: [tracking] Check php crypto primatives
T98313: Graphs can leak tokens, leading to CSRF
T130947: Diff generation should use PoolCounter
T133507: Careless use of $wgExternalLinkTarget is insecure
T132874: API action=move is not rate limited