+ * The "mediawiki" remote backend which lives in contrib/mw-to-git/
+ and is not built with git by default, had an RCE bug allowing a
+ malicious MediaWiki server operator to inject arbitrary commands
+ for execution by a cloning client. This has been fixed.
+
+ The bug was discovered and reported by Joern Schneeweisz of GitLab
+ to the git-security mailing list. Its practical impact due to the
+ obscurity of git-remote-mediawiki was deemed small enough to forgo
+ a dedicated security release.
+