-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Everyone. This is an advisory that the SimpleSecurity extension has unfixed security issues, and that people relying on it should consider moving to a different solution. The extension does not take caching into consideration, and is not secure when $wgMainCacheType is something other than CACHE_NONE. We received a bug report about this quite a long time ago, however it appears nobody is maintaining the extension, and we were unable to find anyone to forward the report to who was interested in fixing the issue. So instead we are making the issue public and issuing this warning about it. The issue in question is https://phabricator.wikimedia.org/T48843 The extension in question is https://www.mediawiki.org/wiki/Extension:SimpleSecurity Sincerely, Brian Wolff Wikimedia Security Team P.S. This is the first time I've ever written a warning like this for an extension. In the past, we've just put security alerts on the extension page or sometimes just ignored them (which I consider bad). I would like feedback from mediawiki-l if people on this list appreciate getting a notice like this, or if you folks consider it off topic. Any other feedback about how we handle security issues reported to us for extensions we do not make or maintain is also appreciated.