Security auditing and response/status
This page is obsolete. It is being retained for archival purposes. It may document extensions or features that are obsolete and/or no longer supported. Do not rely on the information here being up-to-date. |
Last update on: 2014-12-monthly
2013-03-monthly
editThe fundraising code base review is done. A MediaWiki security release, 1.20.3, was published on March 4. A review is underway for user metrics API.
2013-04-monthly
editWe released the MediaWiki 1.19.5 and 1.20.4 security releases on April 15th.
2013-05-monthly
editWe released MediaWiki 1.20.6/1.19.7 and provided security training for developers at the Amsterdam Hackathon.
2013-06-monthly
editThe team continued to respond to reported security issues, and gave security-oriented tech talks on emerging DoS techniques and using OWASP's ZAP tool for vulnerability scanning.
2013-07-monthly
editThe team continued to respond to reported security issues, and addressing outstanding bugs.
2013-08-monthly
editThe team responded to reported issues, and prepared for the next MediaWiki release, scheduled on September 3. We worked with Operations to enable HTTPS for user logins in most geographies.
2013-09-monthly
editThe team responded to reported issues, and released MediaWiki 1.21.2, 1.20.7 and 1.19.8 security releases to fix several issues in core and extensions.
2013-10-monthly
editWe responded to several issues reported in core and extensions. An emergency password reset was put into place to address a private data security issue.
2013-11-monthly
editWe released a security update to MediaWiki to fix a number of issues in core and extensions. Security reviews of Limn, GWTools and Flow extensions are in progress.
2013-12-monthly
editWe continued to respond to reported security issues, and completed security reviews of Flow, the Wikimania Scholarships app, and the GLAM Wiki Toolset.
2014-01-monthly
editWe announced the MediaWiki 1.22.1 and 1.22.2 security releases, and continued to respond to reported vulnerabilities.
2014-02-monthly
editMediaWiki 1.22.3, 1.21.6, and 1.19.12 security updates were released. We started a review of the Hadoop infrastructure and the Popups extension.
2014-03-monthly
editMediaWiki 1.19.13, 1.22.5, 1.21.8 and 1.19.14 were released for security issues. An internal security training session was held for Wikimedia Foundation staff.
2014-04-monthly
editWe helped with the operational response to the Heartbleed vulnerability. Significant work was done on identifying and testing static analysis tools to integrate into the release workflow. We finished reviewing varnishkafka for Analytics, and Compact Personal Bar for UX. MediaWiki releases 1.21.9 and 1.22.6 fixed one security issue.
2014-05-monthly
editMediaWiki (1.22.7) was released to fix an XSS vulnerability. A separate DOM XSS issue was fixed in MobileFrontend. We also finished a review of Hadoop's Camus.
2014-06-monthly
editWe released MediaWiki 1.23.1 to prevent multiple issues caused by loading external SVG resources. We also performed security reviews of the Wikidata property suggester, Extension:Mantle for mobile/Flow, and Flow's templating rewrite.
2014-07-monthly
editMediaWiki 1.23.2 was released, fixing 3 security bugs. Security reviews were made for BounceHandler and Petition extensions, and the password API was merged.
2014-08-monthly
editWe completed security reviews of the Graph, WikibaseQuery and WikibaseQueryEngine extensions. Initial work was done to enable regular dynamic security scanning.
2014-09-monthly
editWe published the 1.23.4 security release, and completed review for the Graph and Imagemetrics extensions.
2014-10-monthly
editWe completed security reviews for WikiGrok, Labeled Section Transclusion headers, the IEG grant-review application, and RecentActivityFeed. We also released security updates for CentralAuth and MobileFrontend.
2014-11-monthly
editWe fixed four security issues in the 1.23.7 release., and completed security reviews of OOjs UI (PHP Implementation), SandboxLink extension, GlobalUserPage, and Phabricator Sprint.
2014-12-monthly
editMediaWiki 1.24.1 was released, fixing issues in core and several extensions. Reviews for kafkatee and plancake email parser were finished. During December, the WMF also participated in a security assessment of MediaWiki by iSec Partners, sponsored by the Open Technology Fund. The results will be made public in February.