There's a pretty simple mitigation that can be applied via configuration in LocalSettings.php if you can't patch immediately.
Fixes are out for Debian packages, the "official" Docker image, and should land in my Ubuntu PPA for focal/bionic shortly...
@nemobis Yeah...MediaWiki doesn't handle having some pages visible and others not visible well. My gut feeling is there's at least one more vulnerable action out there (not enough time to properly review them all), but at least it won't affect $wgWhitelistRead/full private wikis, just those that are using Lockdown for it.
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!