Hi all,
In the process of the previous security release, T124940 was fixed in
core MediaWiki (it deals with unacceptably long shell inputs). There was
also a related fix in Math that I just noticed had never been released--even
thought it was disclosed (with a patch) on the task in question.
It's been published to
https://gerrit.wikimedia.org/r/#/c/333309/ (for
master)
and is being backported to all supported branches (1.28.x, 1.27.x, 1.23.x)
This isn't an extension we bundle in core MW which explains the oversight.
-Chad