Security auditing and response/status

The fundraising code base review is done. A MediaWiki security release, 1.20.3, was published on March 4. A review is underway for user metrics API.

We released the MediaWiki 1.19.5 and 1.20.4 security releases on April 15th.

We released MediaWiki 1.20.6/1.19.7 and provided security training for developers at the Amsterdam Hackathon.

The team continued to respond to reported security issues, and gave security-oriented tech talks on emerging DoS techniques and using OWASP's ZAP tool for vulnerability scanning.

The team continued to respond to reported security issues, and addressing outstanding bugs.

The team responded to reported issues, and prepared for the next MediaWiki release, scheduled on September 3. We worked with Operations to enable HTTPS for user logins in most geographies.

The team responded to reported issues, and released MediaWiki 1.21.2, 1.20.7 and 1.19.8 security releases to fix several issues in core and extensions.

We responded to several issues reported in core and extensions. An emergency password reset was put into place to address a private data security issue.

We released a security update to MediaWiki to fix a number of issues in core and extensions. Security reviews of Limn, GWTools and Flow extensions are in progress.

We continued to respond to reported security issues, and completed security reviews of Flow, the Wikimania Scholarships app, and the GLAM Wiki Toolset.

We announced the MediaWiki 1.22.1 and 1.22.2 security releases, and continued to respond to reported vulnerabilities.

MediaWiki 1.22.3, 1.21.6, and 1.19.12 security updates were released. We started a review of the Hadoop infrastructure and the Popups extension.

MediaWiki 1.19.13, 1.22.5, 1.21.8 and 1.19.14 were released for security issues. An internal security training session was held for Wikimedia Foundation staff.

We helped with the operational response to the Heartbleed vulnerability. Significant work was done on identifying and testing static analysis tools to integrate into the release workflow. We finished reviewing varnishkafka for Analytics, and Compact Personal Bar for UX. MediaWiki releases 1.21.9 and 1.22.6 fixed one security issue.

MediaWiki (1.22.7) was released to fix an XSS vulnerability. A separate DOM XSS issue was fixed in MobileFrontend. We also finished a review of Hadoop's Camus.

We released MediaWiki 1.23.1 to prevent multiple issues caused by loading external SVG resources. We also performed security reviews of the Wikidata property suggester, Extension:Mantle for mobile/Flow, and Flow's templating rewrite.

MediaWiki 1.23.2 was released, fixing 3 security bugs. Security reviews were made for BounceHandler and Petition extensions, and the password API was merged.

We completed security reviews of the Graph, WikibaseQuery and WikibaseQueryEngine extensions. Initial work was done to enable regular dynamic security scanning.

We published the 1.23.4 security release, and completed review for the Graph and Imagemetrics extensions.

We completed security reviews for WikiGrok, Labeled Section Transclusion headers, the IEG grant-review application, and RecentActivityFeed. We also released security updates for CentralAuth and MobileFrontend.

We fixed four security issues in the 1.23.7 release., and completed security reviews of OOjs UI (PHP Implementation), SandboxLink extension, GlobalUserPage, and Phabricator Sprint.

MediaWiki 1.24.1 was released, fixing issues in core and several extensions. Reviews for kafkatee and plancake email parser were finished. During December, the WMF also participated in a security assessment of MediaWiki by iSec Partners, sponsored by the Open Technology Fund. The results will be made public in February.