[MediaWiki-l] Security warning for SimpleSecurity extension.

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[MediaWiki-l] Security warning for SimpleSecurity extension.

Brian Wolff-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Everyone.

This is an advisory that the SimpleSecurity extension has unfixed
security issues, and that people relying on it should consider moving
to a different solution.

The extension does not take caching into consideration, and is not
secure when $wgMainCacheType is something other than CACHE_NONE. We
received a bug report about this quite a long time ago, however it
appears nobody is maintaining the extension, and we were unable to
find anyone to forward the report to who was interested in fixing
the issue. So instead we are making the issue public and issuing
this warning about it.

The issue in question is https://phabricator.wikimedia.org/T48843
The extension in question is
https://www.mediawiki.org/wiki/Extension:SimpleSecurity

Sincerely,

Brian Wolff
Wikimedia Security Team

P.S. This is the first time I've ever written a warning like this
for an extension. In the past, we've just put security alerts on
the extension page or sometimes just ignored them (which I consider bad).
I would like feedback from mediawiki-l if people on this list appreciate
getting a notice like this, or if you folks consider it off topic.
Any other feedback about how we handle security issues reported to
us for extensions we do not make or maintain is also appreciated.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJZbtGsAAoJEDYflDsVwI3UGHIQAIWbmd1+xvbnCXLEV1gq1ZMm
3aAANm1SX8jbhanY93a28YnUyFULCuehlzrXTonZBvPy59W8GbOB5qW4Px1CHzRJ
hPewsxTObfnxEW5+JzSH9o4ApZgAjgGvBZP0fQTRgmZdiWGj+HM9m0vmP90lodzM
aCein3yneJVapNo2aONiQp1rVELJTWKqlRt0Wuraa8fUjPKfLydk0mfDfObejMYV
DUBuMWyif51m2EXZV1TisR4P3VzvyF3RNQXX4iKbVj+KOkI6+SLhGzrH/wFL3kE9
bCr5EQa6beRIs7sNCItvd+efFhATqxNZUi8WjDc3reylEKI4FMj+1NMHZYr4Mo7A
jO6KAoAWPUJtHu5v4Cqf2+YTT7zzqndPHZVdkp2PsfNs2ImmDHBCxdDGBfU/WkcA
2dsgnpqUmTeKsYnpwR1rH+/ZFkCGNhHqXRF9JrSYiqzE6K1BzTJo/nHIarEaL/TT
5R0JxP4WErZfBz7Ef7kTkp+hGPovH6Kdu7Fqu08VdgL+BIZomWDYpRmt1IfW5aET
fKUOUK4u84EQkv7Y8ue9RINB4tgodZr2hNXDjQBZVHun4IpNUJDyji136YYe23oe
ngPbwpXzQgJFwOkhzGEgslns1iIxITmc1dl8wuKisajT1XIhflNNOWEG0DlBqKbS
37gjoPxhoDjpIhD9ZgzS
=etRb
-----END PGP SIGNATURE-----

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security warning for SimpleSecurity extension.

Brian Wolff-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi.

So I wanted to be cool and use gpg
like all the cool kids do, but I didn't
know what I was doing, and the line length
got adjusted by the email client, rendering
the signature invalid.

So umm, the last email really was me,
despite the invalid signature and
err this is embarrassing.

Cheers,
Brian.

p.s. Hopefully I do it right the second
time, or its only going to get more
embarrassing :)

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJZbtq2AAoJEDYflDsVwI3UsLoP/27QnHrONVrNnudVocYRg0te
9NEaERBU/l2myh9XpYBM2EyzOgA3w5Z+GMEn98B6ORGCJUI369lwZe7Nh1MkJsaG
96R5mmMw8JWCxMCxk4+vdBE3kC9MCYpFgGlpva8pZZ2pDEwXSGERFG9L7tmLhIJ2
+ez2ix5jXyCBwLjQVOW/ROO4NTSCUhpHNt3s9XIhroid2/3bAff9t7oCEiYaXTZ0
MzhSJ6ZhWkFL3Ev51tTkd/QxUKxOUfEWVQ46p8m4MBOLhsJtUC/wLUYXlgDqZTnd
WqgkpRUQ8/Ix1knIOzhrEmK7d7MtbyzIzn276YU6XfsHyv/X+WcjkH1yiNgXjSyF
UPgKafV8PaPWTa1obS8wwCfhwVLnPJcNt+ws7bgmsvZWsYvNfH99P8OiiHFUKfzO
6jJSf0Pw8T4tHEt3/49Tu7evTwkgaSUs11o5UqTh2rtQJA38BQWsUz9E2rbpWG8Q
6QRT1F7fUoq8bsQTOCw6vWVOLFsnY80UPlRW6wQpcgtNgf0YPkRPZL/QMzAwCKkX
z/tO5lCCI1onRREQgJcNo0rEbL6v+DskuHLB66dyIhzffmsKPF2wDPFEmvIMhFj2
pZ/ax5CogjcrF2YzypTAcI+Uy6OU47xRW/VgfbYVJFHcAijt8Wg3QCIZVyw7P5b2
x/kNOqJFSXmROjpyBz6p
=wH9i
-----END PGP SIGNATURE-----

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security warning for SimpleSecurity extension.

Eduardo Elias Camponez
In reply to this post by Brian Wolff-2
On 19/07/2017 04:45, Brian Wolff wrote:

> Hello Everyone.
>
> This is an advisory that the SimpleSecurity extension has unfixed
> security issues, and that people relying on it should consider moving
> to a different solution.
>
> The extension does not take caching into consideration, and is not
> secure when $wgMainCacheType is something other than CACHE_NONE. We
> received a bug report about this quite a long time ago, however it
> appears nobody is maintaining the extension, and we were unable to
> find anyone to forward the report to who was interested in fixing
> the issue. So instead we are making the issue public and issuing
> this warning about it.
>
> The issue in question is https://phabricator.wikimedia.org/T48843
> The extension in question is
> https://www.mediawiki.org/wiki/Extension:SimpleSecurity
>
> Sincerely,
>
> Brian Wolff
> Wikimedia Security Team
>
> P.S. This is the first time I've ever written a warning like this
> for an extension. In the past, we've just put security alerts on
> the extension page or sometimes just ignored them (which I consider bad).
> I would like feedback from mediawiki-l if people on this list appreciate
> getting a notice like this, or if you folks consider it off topic.
> Any other feedback about how we handle security issues reported to
> us for extensions we do not make or maintain is also appreciated.
>
I would appreciate getting this kind of notice. I never go back to the extension's page,
the notice there would help me only the first time, when I'm about to installed it.

Thank you!

Eduardo

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security warning for SimpleSecurity extension.

Eduardo Elias Camponez
On 19/07/2017 08:12, Eduardo Elias Camponez wrote:
> I would appreciate getting this kind of notice. I never go back to the extension's page,
> the notice there would help me only the first time, when I'm about to installed it.
>
> Thank you!
>
> Eduardo

Looks like I have the same problem with the Bad Signature! ;)


_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

signature.asc (817 bytes) Download Attachment
Loading...