Any chance that Wikimedia Foundation can actually do proper releases of this extension, rather than sending people a link to a phabricator page that has a link to a gerrit change buried in the comments?
This seems like a pretty poor way to do a security release to third parties that may be relying on this.
On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson jrobson@wikimedia.org wrote:
A security vulnerability has been discovered in MediaWiki setups which use MobileFrontend.
Revisions who's visibility had been alerted were showing up in parts of the mobile UI.
All projects in the Wikimedia cluster have been since patched but if you use this extension please be sure to apply the fix.
Patch file and issue are documented on https://phabricator.wikimedia.org/T133700
Note there is some follow-up work to do which is tracked in: https://phabricator.wikimedia.org/T133722
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l