This is an announcement of a security release of the LdapAuthentication plugin. This release adds support for the fix released in MediaWiki core in versions 1.19.2 and 1.18.5 that involved data leakage, and false authentication in situations where the LdapAuthentication extension was returning strict() as false.
The commit for this fix is: e67d0d392d261aa5a6b59f61dae4c42119aef2e3
The change-id in Gerrit is: I5244af48b895ebfb7ca79f04019924a172c417e4
It's also tagged in the git repo as 2.0c.
Additionally, after upgrading MediaWiki and the LdapAuthentication extension, you should also purge leaked passwords from your local database. Please see bug 39184 https://bugzilla.wikimedia.org/show_bug.cgi?id=39184 for information regarding purging the passwords.
- Ryan Lane
wikitech-l@lists.wikimedia.org