https://bugs.ghostscript.com/show_bug.cgi?id=697808 refers to a new vulnerability in ghostscript which allows bypass of -DSafer. Apparently this was used for the recent Hipchat compromise. There's no upstream fix yet.
We have one extension running on the cluster which also shells out to Ghostscript, extensions/PdfHandler/extension.json which sets "PdfProcessor" to gs. I don't know anything about that extension myself, just noticed it when looking around.
I suggest we wrap this extension with firejail, both to neuter the immediate vulnerability and as hardening going forward. We already have a wrapper installed on all application servers which launches ghostscript with a strict firejail confinement (the same we also use for imagemagick): /usr/local/bin/mediawiki-firejail-ghostscript, so I assume all that would be needed would be to deploy a change which switched PdfProcessor to /usr/local/bin/mediawiki-firejail-ghostscript