Security patch

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Security patch

Jon Robson-2
A security vulnerability has been discovered in MediaWiki setups which
use MobileFrontend.

Revisions who's visibility had been alerted were showing up in parts
of the mobile UI.

All projects in the Wikimedia cluster have been since patched but if
you use this extension please be sure to apply the fix.

Patch file and issue are documented on https://phabricator.wikimedia.org/T133700

Note there is some follow-up work to do which is tracked in:
https://phabricator.wikimedia.org/T133722

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security patch

bawolff
On Tue, Apr 26, 2016 at 2:44 PM, Jon Robson <[hidden email]> wrote:

> A security vulnerability has been discovered in MediaWiki setups which
> use MobileFrontend.
>
> Revisions who's visibility had been alerted were showing up in parts
> of the mobile UI.
>
> All projects in the Wikimedia cluster have been since patched but if
> you use this extension please be sure to apply the fix.
>
> Patch file and issue are documented on https://phabricator.wikimedia.org/T133700
>
> Note there is some follow-up work to do which is tracked in:
> https://phabricator.wikimedia.org/T133722
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

For these sorts of things, could we include the extension in the
subject line? Otherwise some people might think its a general
mediawiki security issue.

Thanks,
--
-bawolff

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security patch

Ryan Lane-2
In reply to this post by Jon Robson-2
Any chance that Wikimedia Foundation can actually do proper releases of
this extension, rather than sending people a link to a phabricator page
that has a link to a gerrit change buried in the comments?

This seems like a pretty poor way to do a security release to third parties
that may be relying on this.

On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson <[hidden email]> wrote:

> A security vulnerability has been discovered in MediaWiki setups which
> use MobileFrontend.
>
> Revisions who's visibility had been alerted were showing up in parts
> of the mobile UI.
>
> All projects in the Wikimedia cluster have been since patched but if
> you use this extension please be sure to apply the fix.
>
> Patch file and issue are documented on
> https://phabricator.wikimedia.org/T133700
>
> Note there is some follow-up work to do which is tracked in:
> https://phabricator.wikimedia.org/T133722
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security patch

Alex Monk
It's not an extension that gets bundled with MediaWiki releases.

On 26 April 2016 at 19:52, Ryan Lane <[hidden email]> wrote:

> Any chance that Wikimedia Foundation can actually do proper releases of
> this extension, rather than sending people a link to a phabricator page
> that has a link to a gerrit change buried in the comments?
>
> This seems like a pretty poor way to do a security release to third parties
> that may be relying on this.
>
> On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson <[hidden email]>
> wrote:
>
> > A security vulnerability has been discovered in MediaWiki setups which
> > use MobileFrontend.
> >
> > Revisions who's visibility had been alerted were showing up in parts
> > of the mobile UI.
> >
> > All projects in the Wikimedia cluster have been since patched but if
> > you use this extension please be sure to apply the fix.
> >
> > Patch file and issue are documented on
> > https://phabricator.wikimedia.org/T133700
> >
> > Note there is some follow-up work to do which is tracked in:
> > https://phabricator.wikimedia.org/T133722
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security patch

Adam Baso
In reply to this post by Ryan Lane-2
Hey Ryan - with stuff merged into master would it make sense to just point
to the MobileFrontend extension page
<https://www.mediawiki.org/wiki/Extension:MobileFrontend> for people to get
the snapshot? Or did you have something else in mind?

On Tue, Apr 26, 2016 at 1:52 PM, Ryan Lane <[hidden email]> wrote:

> Any chance that Wikimedia Foundation can actually do proper releases of
> this extension, rather than sending people a link to a phabricator page
> that has a link to a gerrit change buried in the comments?
>
> This seems like a pretty poor way to do a security release to third parties
> that may be relying on this.
>
> On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson <[hidden email]>
> wrote:
>
> > A security vulnerability has been discovered in MediaWiki setups which
> > use MobileFrontend.
> >
> > Revisions who's visibility had been alerted were showing up in parts
> > of the mobile UI.
> >
> > All projects in the Wikimedia cluster have been since patched but if
> > you use this extension please be sure to apply the fix.
> >
> > Patch file and issue are documented on
> > https://phabricator.wikimedia.org/T133700
> >
> > Note there is some follow-up work to do which is tracked in:
> > https://phabricator.wikimedia.org/T133722
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security patch

Ryan Lane-2
In reply to this post by Alex Monk
On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk <[hidden email]> wrote:

> It's not an extension that gets bundled with MediaWiki releases.
>
>
That doesn't mean third parties aren't using it. When I say a release of
the extension, I mean give it a version number, increase the version
number, tag it in git, then tell people "ensure you are using version x or
greater of MobileFrontend".

This is a pretty normal process that Wikimedia does well for other things.
I have a feeling this isn't going through a normal process...

- Ryan
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security patch

bawolff
On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane <[hidden email]> wrote:

> On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk <[hidden email]> wrote:
>
>> It's not an extension that gets bundled with MediaWiki releases.
>>
>>
> That doesn't mean third parties aren't using it. When I say a release of
> the extension, I mean give it a version number, increase the version
> number, tag it in git, then tell people "ensure you are using version x or
> greater of MobileFrontend".
>
> This is a pretty normal process that Wikimedia does well for other things.
> I have a feeling this isn't going through a normal process...
>

I'm pretty sure that doing git tags in extensions for new versions is
not normal procedure.

I can't recall any extension ever doing that (Unless you mean the
REL1_26 type tags).

Which is not to say that I necessarily disagree with doing that
procedure, I just think its unfair to call that the normal procedure,
where I don't think that procedure has ever been used for extensions.

Regardless of what procedures are decided as good practice for
extensions, formalizing the procedures security releases of
non-bundled extensions that are maintained by WMF would probably be a
good idea.

--
-bawolff

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security patch

bawolff
I've filed T133735 as a bug to formalize procedures for security
releases of non-mediawiki bundled wmf-maintained extensions.

On Tue, Apr 26, 2016 at 3:17 PM, bawolff <[hidden email]> wrote:

> On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane <[hidden email]> wrote:
>> On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk <[hidden email]> wrote:
>>
>>> It's not an extension that gets bundled with MediaWiki releases.
>>>
>>>
>> That doesn't mean third parties aren't using it. When I say a release of
>> the extension, I mean give it a version number, increase the version
>> number, tag it in git, then tell people "ensure you are using version x or
>> greater of MobileFrontend".
>>
>> This is a pretty normal process that Wikimedia does well for other things.
>> I have a feeling this isn't going through a normal process...
>>
>
> I'm pretty sure that doing git tags in extensions for new versions is
> not normal procedure.
>
> I can't recall any extension ever doing that (Unless you mean the
> REL1_26 type tags).
>
> Which is not to say that I necessarily disagree with doing that
> procedure, I just think its unfair to call that the normal procedure,
> where I don't think that procedure has ever been used for extensions.
>
> Regardless of what procedures are decided as good practice for
> extensions, formalizing the procedures security releases of
> non-bundled extensions that are maintained by WMF would probably be a
> good idea.
>
> --
> -bawolff

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security patch

Jon Robson-2
In reply to this post by bawolff
We did push for a new release process in MobileFrontend some time ago:
https://phabricator.wikimedia.org/T104317

This wasn't popular and failed. See:
http://www.gossamer-threads.com/lists/wiki/wikitech/673454?page=last


On Tue, Apr 26, 2016 at 12:17 PM, bawolff <[hidden email]> wrote:

> On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane <[hidden email]> wrote:
>> On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk <[hidden email]> wrote:
>>
>>> It's not an extension that gets bundled with MediaWiki releases.
>>>
>>>
>> That doesn't mean third parties aren't using it. When I say a release of
>> the extension, I mean give it a version number, increase the version
>> number, tag it in git, then tell people "ensure you are using version x or
>> greater of MobileFrontend".
>>
>> This is a pretty normal process that Wikimedia does well for other things.
>> I have a feeling this isn't going through a normal process...
>>
>
> I'm pretty sure that doing git tags in extensions for new versions is
> not normal procedure.
>
> I can't recall any extension ever doing that (Unless you mean the
> REL1_26 type tags).
>
> Which is not to say that I necessarily disagree with doing that
> procedure, I just think its unfair to call that the normal procedure,
> where I don't think that procedure has ever been used for extensions.
>
> Regardless of what procedures are decided as good practice for
> extensions, formalizing the procedures security releases of
> non-bundled extensions that are maintained by WMF would probably be a
> good idea.
>
> --
> -bawolff
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l