Wikimedia Security Team/AppSec Clinic Minutes/2022-05-26

Date: 2022-05-26

Attending: MMartorana_(WMF), MStyles_(WMF), SBassett_(WMF)

From Last Time

edit
  1. T306514 - Assigned to MStyles_(WMF)
    1. Result: self-assigned and still in-progress
  2. T306516 - Assigned to Reedy_(WMF)
    1. Result: no update
  3. T307278 - Assigned to MMartorana_(WMF)
    1. Result: patch still in progress
  4. T304291 - Assigned to MMartorana_(WMF)
    1. Done! Told to request new application security review.
  5. T306211 - Assigned to Reedy_(WMF)
    1. Result: no update
  6. T307750 - Assigned to MMartorana_(WMF)
    1. Still in progress, waiting on Release Engineering review, may need to escalate.
  7. T308101 - Assigned to MStyles_(WMF) for triage
    1. Risk rated, vuln rated, untagged security-team, to provide credentials advice
  8. T307991 - Assigned to SBassett_(WMF)
    1. Done! Risk rated, vuln rated, untagged security-team, Growth team and Releng appear to be triaging

Phabricator Tasks Reviewed

edit
  1. T308659 - Assigned to MStyles_(WMF)
    1. Patches done and in production, adjust tags, track for supplemental security release (T305209)
  2. T309028 - Assigned to MMartorana_(WMF)
    1. Patches done and in production, adjust tags, track for main security release (T305200), I believe
  3. T308471 - Assigned to SBassett_(WMF) to triage
  4. T308473 - Assigned to MStyles_(WMF) to triage
  5. T308583 - Assigned to MMartorana_(WMF) to triage
  6. T308861 - Assigned to SBassett_(WMF) to triage
  7. T309077 - Assigned to SBassett_(WMF)
    1. I think this was fixed in another task/patch?
  8. T309078 - Assigned to SBassett_(WMF) to triage
  9. T309255 - Assigned to MStyles_(WMF) to triage
    1. Appears to not be a Wikimedia-deployed extension
  10. T309285
    1. Done in clinic! Untagged security team, protected as security task, triaged a bit