A bug[1] was identified in CentralAuth that would allow a user to log in to
a wiki with a reserved or otherwise "unusable" account if that account was
not reserved on another wiki in the CentralAuth cluster.
Patches for supported branches are:
* master (1.28 alpha):
https://gerrit.wikimedia.org/r/304856
* REL1_27:
https://gerrit.wikimedia.org/r/304857
* REL1_26:
https://gerrit.wikimedia.org/r/304858
* REL1_23:
https://gerrit.wikimedia.org/r/304861
If you are using an earlier version, you should upgrade your MediaWiki
installation.
[1]:
https://phabricator.wikimedia.org/T130384
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation