[Wikitech-l] [SECURITY] Math extension - shell invocation followup

Hi all, In the process of the previous security release, T124940 was fixed in core MediaWiki (it deals with unacceptably long shell inputs). There was also a related fix in Math that I just noticed had never been released--even thought it was disclosed (with a patch) on the task in question.

[Wikitech-l] Discovery Weekly Update for the week starting 2017-01-16

Hello, Here are this past week's updates from the Discovery department. == Highlights == * Finalized the second BM25 testing analysis and linked to the pdf here. [0] ==Search == * Migrated Phan for CirrusSearch to Jenkins. (technical debt) [1] [2] * Finished writing up, summarizing, and

Re: [Wikitech-l] Map replaces GeoHack on ruwiki

Yuri Astrakhan wrote: > Russian Wikipedia just replaced all of their map links in the upper right > corner (geohack) with the - Kartographer extension! Moreover, > when clicking the link, it also shows the location outline, if that object > exists in OpenStreetMap,

[Wikitech-l] [SECURITY] CentralAuth - Tokens & apioutput.js

Hi, This shouldn't affect very many installations as CentralAuth is very WMF-specific but letting everyone know that a fix for CentralAuth has just been released. It allowed user impersonation by a combination of the apioutput.js (used for api.php output customization) and the central auth

Re: [Wikitech-l] [SECURITY] Math extension - shell invocation followup

Hi, Somewhat related, in the last MediaWiki security release, the bugs already have CVE numbers assigned to them. Would it be possible to get CVE ids for extension security issues in advance as well? -- Legoktm ___ Wikitech-l mailing list

[Wikitech-l] Updated texvc (Math rendering) Debian packages now available

Hi, texvc is a OCaml program that generates PNG images for the Math extension. Packages for Debian and Ubuntu are now available, please see for more details. This package is useful regardless of whether you are using the mediawiki

[Wikitech-l] SECURITY: Flow security fix to make sure EnableFlow is always attributed

There is a security fix to ensure that EnableFlow is always properly attributed. This may be an issue if you see users maliciously using Special:EnableFlow on pages that already exist. It should be merged shortly, but in the meantime, you can download it from Gerrit

[Wikitech-l] Map replaces GeoHack on ruwiki

Russian Wikipedia just replaced all of their map links in the upper right corner (geohack) with the - Kartographer extension! Moreover, when clicking the link, it also shows the location outline, if that object exists in OpenStreetMap, using corresponding Wikidata ID. My deepest respect to my

Re: [Wikitech-l] SECURITY: Flow security fix to make sure EnableFlow is always attributed

On 01/20/2017 05:02 PM, Matthew Flaschen wrote: There is a security fix to ensure that EnableFlow is always properly attributed. This may be an issue if you see users maliciously using Special:EnableFlow on pages that already exist. To clarify, the page already existing is fine. It's just