Security auditing and response/status

Last update on: 2014-12-monthly


2013-03-monthly

edit

The fundraising code base review is done. A MediaWiki security release, 1.20.3, was published on March 4. A review is underway for user metrics API.

2013-04-monthly

edit

We released the MediaWiki 1.19.5 and 1.20.4 security releases on April 15th.

2013-05-monthly

edit

We released MediaWiki 1.20.6/1.19.7 and provided security training for developers at the Amsterdam Hackathon.

2013-06-monthly

edit

The team continued to respond to reported security issues, and gave security-oriented tech talks on emerging DoS techniques and using OWASP's ZAP tool for vulnerability scanning.

2013-07-monthly

edit

The team continued to respond to reported security issues, and addressing outstanding bugs.

2013-08-monthly

edit

The team responded to reported issues, and prepared for the next MediaWiki release, scheduled on September 3. We worked with Operations to enable HTTPS for user logins in most geographies.

2013-09-monthly

edit

The team responded to reported issues, and released MediaWiki 1.21.2, 1.20.7 and 1.19.8 security releases to fix several issues in core and extensions.

2013-10-monthly

edit

We responded to several issues reported in core and extensions. An emergency password reset was put into place to address a private data security issue.

2013-11-monthly

edit

We released a security update to MediaWiki to fix a number of issues in core and extensions. Security reviews of Limn, GWTools and Flow extensions are in progress.

2013-12-monthly

edit

We continued to respond to reported security issues, and completed security reviews of Flow, the Wikimania Scholarships app, and the GLAM Wiki Toolset.

2014-01-monthly

edit

We announced the MediaWiki 1.22.1 and 1.22.2 security releases, and continued to respond to reported vulnerabilities.

2014-02-monthly

edit

MediaWiki 1.22.3, 1.21.6, and 1.19.12 security updates were released. We started a review of the Hadoop infrastructure and the Popups extension.

2014-03-monthly

edit

MediaWiki 1.19.13, 1.22.5, 1.21.8 and 1.19.14 were released for security issues. An internal security training session was held for Wikimedia Foundation staff.

2014-04-monthly

edit

We helped with the operational response to the Heartbleed vulnerability. Significant work was done on identifying and testing static analysis tools to integrate into the release workflow. We finished reviewing varnishkafka for Analytics, and Compact Personal Bar for UX. MediaWiki releases 1.21.9 and 1.22.6 fixed one security issue.

2014-05-monthly

edit

MediaWiki (1.22.7) was released to fix an XSS vulnerability. A separate DOM XSS issue was fixed in MobileFrontend. We also finished a review of Hadoop's Camus.

2014-06-monthly

edit

We released MediaWiki 1.23.1 to prevent multiple issues caused by loading external SVG resources. We also performed security reviews of the Wikidata property suggester, Extension:Mantle for mobile/Flow, and Flow's templating rewrite.

2014-07-monthly

edit

MediaWiki 1.23.2 was released, fixing 3 security bugs. Security reviews were made for BounceHandler and Petition extensions, and the password API was merged.

2014-08-monthly

edit

We completed security reviews of the Graph, WikibaseQuery and WikibaseQueryEngine extensions. Initial work was done to enable regular dynamic security scanning.

2014-09-monthly

edit

We published the 1.23.4 security release, and completed review for the Graph and Imagemetrics extensions.

2014-10-monthly

edit

We completed security reviews for WikiGrok, Labeled Section Transclusion headers, the IEG grant-review application, and RecentActivityFeed. We also released security updates for CentralAuth and MobileFrontend.

2014-11-monthly

edit

We fixed four security issues in the 1.23.7 release., and completed security reviews of OOjs UI (PHP Implementation), SandboxLink extension, GlobalUserPage, and Phabricator Sprint.

2014-12-monthly

edit

MediaWiki 1.24.1 was released, fixing issues in core and several extensions. Reviews for kafkatee and plancake email parser were finished. During December, the WMF also participated in a security assessment of MediaWiki by iSec Partners, sponsored by the Open Technology Fund. The results will be made public in February.