Hi everyone,
In July 2020, vulnerabilities that allowed for remote code execution were discovered within the Score extension [0], which primarily uses LilyPond [1] to provide musical scores on-wiki. Futher investgation found more vulnerabilities within LilyPond and firejail.
We are now publishing a security advisory for the Score extension with information about the discovered vulnerabilities and information regarding how to secure Score using Shellbox [3]. Please refer to that for information on how to set up the Score extension in a secure manner.
Thanks,
[0] https://www.mediawiki.org/wiki/Extension:Score [1] https://lilypond.org/ [2] https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory
mediawiki-announce@lists.wikimedia.org