Hi lists,
If you haven't patched with the last security release, or know of a wiki that hasn't patched yet, please do so immediately. An exploit was released on the full disclosure mailing list over the weekend[1] that targets the vulnerability in the PdfHandler extension.
If you're not able to patch for some reason, you may be able to work around the issue: * If you have never allowed .djvu files to be uploaded, but you do allow pdf files, you can simply disable the PdfHandler extension (typically by remove the include in your LocalSettings.php). * If you have any .djvu files saved on your wiki, then there is no workaround-- you need to apply the security patch to MediaWiki core.
If anyone is running an unsupported branch of MediaWiki (1.20 was recently EOL'ed), and needs help creating a patch for their instance, I'm happy to try and work with you to get the vulnerability closed. Contact me off list, or on irc.
wikitech-l@lists.wikimedia.org