Security reviews/status
Last update on: 2013-03-14
2012-06-06
editTwo new vulnerabilities were reported or identified in code review; one fix was put into production. Initial audit of global Javascript and CSS across WMF sites was done in response to reports of privacy-violating javascript. Further enhancements to SVG security were completed.
2012-05-monthly
editChris Steipp has started auditing several parts of our system. Two new vulnerabilities were reported or identified in code review; one fix was put into production. Chris also completed an initial audit of global JavaScript and CSS across Wikimedia sites, in response to reports of problematic JavaScript. He finished up work on enhanced SVG security filter to strip out elements not included on a feature whitelist.
2012-06-monthly
editChris Steipp was on leave for much of June. Work continues to audit of global JavaScript and CSS across Wikimedia sites. Three security issues opened, two closed. Secure code review training given at Berlin Hackathon.
2012-07-27
editSome audit work has resumed, and more bugfixing is needed in this area. Chris has reviewed Timed Media Handler, Signup API, and is working on a review of Wiki Loves Monuments.
2012-07-monthly
editSome audit work has resumed, and more bugfixing is needed in this area. Chris has reviewed Timed Media Handler, Signup API, and is working on a review of Wiki Loves Monuments.
2012-08-monthly
editImproved filtering in uselang with MediaWiki 1.20/wmf8 fixed several DOM-based XSS vulnerabilities in different gadgets. Chris Steipp fixed 4 security issues in core, and released MediaWiki 1.19.2 and 1.18.5 to include them.
2012-09-monthly
editThe team continues to respond to reported vulnerabilities. Chris Steipp led secure code training at WMF tech days for WMF staff. Chris also performed a review pass on the Wikidata extensions.
2012-10-monthly
editThe team continued to respond to and fix reported vulnerabilities. They worked on improving the release process for security updates to supported versions of MediaWiki, and provided significant security reviews of extensions for Wikivoyage and Wikidata.
2012-11-monthly
editThe team continued to respond to several reported vulnerabilities, and released new versions of all supported MediaWiki branches (1.20.1, 1.19.3, 1.18.6) to address vulnerabilities in core. Significant security reviews continued for Wikidata and Wikivoyage extensions.
2012-12-monthly
editThe team continued to respond to several reported vulnerabilities. A follow-up security review for Wikidata phase 2/3 was done.
2013-01-monthly
editThe team continued to respond to reported vulnerabilities, began a security review of fundraising extensions, and continued reviews of Wikidata features.
2013-02-monthly
editContinued responses to reported vulnerabilities. Preparation for security releases for 1.19 and 1.20 branches of MediaWiki. Continued review of Fundraising.
2013-03-14
editFundraising code base review is done. MediaWIki 1.20.3 security release was published on March 4.