This is an announcement of a security release of the
LdapAuthentication plugin. This release adds support for the fix
released in MediaWiki core in versions 1.19.2 and 1.18.5 that involved
data leakage, and false authentication in situations where the
LdapAuthentication extension was returning strict() as false.
The commit for this fix is: e67d0d392d261aa5a6b59f61dae4c42119aef2e3
The change-id in Gerrit is: I5244af48b895ebfb7ca79f04019924a172c417e4
It's also tagged in the git repo as 2.0c.
Additionally, after upgrading MediaWiki and the LdapAuthentication
extension, you should also purge leaked passwords from your local
database. Please see bug 39184
<https://bugzilla.wikimedia.org/show_bug.cgi?id=39184> for information
regarding purging the passwords.
- Ryan Lane
Show replies by date