Tim Starling just annouced a fix to a recently noticed security flaw in
MediaWiki on wikitech-l. This fix involves a non-backwards-compatible
change to the MediaWiki API login action.
Details here:
https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
While this does not _directly_ affect the toolserver, a large number of
bots running here will be affected. As the fix is already live on
Wikimedia sites, any bot that has not been updated will be unable to log
in using the API. (Some old bots logging in via Special:Userlogin may
also be affected, depending on how they construct the login request.)
The necessary fix is not particularly complex. I only had to add one
extra line of Perl code to my own bot to make it work again:
http://commons.wikimedia.org/w/index.php?diff=37368315&oldid=36496675
I expect that most commonly used bot frameworks will soon be updated to
be compatible with the new login syntax. In the mean time, operators of
long-running bots may wish to avoid logging them out until they've been
fixed so that they can log back in.
--
Ilmari Karonen