Page MenuHomePhabricator
Create Task
Maniphest T137258

policy.wikimedia.org SSL vulnerability
Closed, ResolvedPublic
Actions

Description

Legal, can you please either contact whoever is in technical control of policy.wikimedia.org, or forward contact/account information to Operations? The server for this site is vulnerable to a serious TLS flaw ( CVE-2016-2107 ) which was patched and released over a month ago in OpenSSL.

https://www.ssllabs.com/ssltest/analyze.html?d=policy.wikimedia.org

Event Timeline

BBlack created this task.Jun 7 2016, 10:41 PM
Restricted Application added a project: SRE. · View Herald TranscriptJun 7 2016, 10:41 PM
Restricted Application added subscribers: Zppix, Malyacko, JEumerus, Aklapper. · View Herald Transcript
Dzahn subscribed.Jun 7 2016, 10:43 PM

policy.wm runs on https://vip.wordpress.com/

ZhouZ moved this task from Backlog to Assigned on the WMF-Legal board.Jun 7 2016, 10:47 PM
ZhouZ added a subscriber: Slaporte.
Krenair subscribed.Jun 7 2016, 10:55 PM
In T137258#2362633, @Dzahn wrote:

policy.wm runs on https://vip.wordpress.com/

It appears to be running on different servers to the blog which is hosted there:

alex@alex-laptop:~$ host policy.wikimedia.org
policy.wikimedia.org has address 192.0.66.2
alex@alex-laptop:~$ host blog.wikimedia.org
blog.wikimedia.org is an alias for wikimediablog.wordpress.com.
wikimediablog.wordpress.com is an alias for vip-lb.wordpress.com.
vip-lb.wordpress.com has address 192.0.79.33
vip-lb.wordpress.com has address 192.0.79.32
Slaporte claimed this task.Jun 7 2016, 10:58 PM

I've reported this to wordpress, and I'll update here as they resolve it.

Luke081515 subscribed.Jun 8 2016, 2:52 PM
Slaporte added a comment.Jun 8 2016, 5:01 PM

WordPress tells me that they have resolved the issue. It looks fixed to me, but this is a bit outside my area of expertise. Do you see anything else we need to do to fully address it? Thanks!

MoritzMuehlenhoff subscribed.Jun 8 2016, 5:04 PM

Seems fine now

BBlack closed this task as Resolved.Jun 8 2016, 5:07 PM

Yup looks great, thanks!

Slaporte added a comment.Jun 8 2016, 5:08 PM

Excellent, thank you!

chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL