A security bug [1] has been fixed in CentralAuth; the bug caused logouts to
silently fail if the local account on the central login wiki was
unattached. That does not happen under normal circumstances, so the
vulnerability can only be exposed if some other error causes attaching
accounts to fail; nevertheless you are advised to update your
installations. The fix has been backported to all supported versions (those
for MediaWiki 1.23, 1.26 and 1.27).
Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)
[1] https://phabricator.wikimedia.org/T137551
Hi all,
a minor security bug [1] has been fixed in the OAuth extension:
* a connected application could use the /identify endpoint to learn the
username of a user even if the application has been disabled.
* a connected application could use the /identify endpoint to learn the
username of a user even if the user was locked or blocked from login (this
could be problematic when OAuth is used for authentication, such as with
the OAuthAuthentication [2] extension).
The fix has been backported to all supported versions (those for MediaWiki
1.23, 1.26 and 1.27).
Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)
[1] https://phabricator.wikimedia.org/T148600
[2] https://www.mediawiki.org/wiki/Extension:OAuthAuthentication