Page MenuHomePhabricator
Create Task
Maniphest T139234

Phabricator XSS vulnerability
Closed, ResolvedPublic
Actions

Description

https://secure.phabricator.com/T11257

Related Objects

Event Timeline

Danny_B created this task.Jul 2 2016, 1:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 2 2016, 1:26 PM
Danny_B triaged this task as High priority.Jul 2 2016, 1:27 PM
Danny_B added a project: Phabricator.
Danny_B merged a task: T139236: Phabricator needs update: Security issue.Jul 2 2016, 2:25 PM
Danny_B added subscribers: mmodell, Paladox, Luke081515.
Luke081515 raised the priority of this task from High to Unbreak Now!.Jul 2 2016, 2:27 PM
Luke081515 added a project: SRE.

As I wrote there, the easiest solution is to apply the patch at https://secure.phabricator.com/T11257#183428.

Luke081515 added a subscriber: demon.Jul 2 2016, 2:28 PM
Paladox moved this task from To Triage to Herald rules on the Phabricator board.Jul 2 2016, 3:25 PM
greg moved this task from Herald rules to Ready to Go on the Phabricator board.Jul 2 2016, 6:27 PM
greg subscribed.

Let's not use a "Security (high priority)" column in the workboard. That only makes it easier for outsides to know information we don't want them to know. We don't need a "high priority" column.

greg added a comment.Jul 2 2016, 6:30 PM

Timing is tough on this. This is public in upstream sadly but it's a long weekend in the US and @mmodell is out.

greg added a comment.Jul 2 2016, 6:34 PM

I emailed our team list about this to increase visibility.

mmodell added a comment.Jul 2 2016, 7:09 PM

I just cherry-picked the upstream patch. I'll deploy it now

Luke081515 assigned this task to mmodell.Jul 2 2016, 7:21 PM
mmodell closed this task as Resolved.Jul 2 2016, 7:23 PM

Fixed in wmf/stable and deployed to iridium.

Paladox added a comment.Jul 2 2016, 7:24 PM

Thanks.

greg added a comment.Jul 2 2016, 8:35 PM

Thanks for the holiday weekend response, Mukunda.

demon added a comment.Jul 2 2016, 10:45 PM

Upstream bug is already public and we're patched, can we open this up now?

Danny_B added a comment.Jul 2 2016, 10:49 PM

@demon Feel free to do so including the merged task.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 3 2016, 4:16 PM
Bawolff changed Security from Software security bug to None.
Restricted Application added subscribers: TerraCodes, Malyacko. · View Herald TranscriptJul 3 2016, 4:16 PM
Bawolff subscribed.Jul 3 2016, 4:16 PM

Bug is now public.

Danny_B added a project: Vuln-XSS.Jul 5 2016, 3:21 PM
Luke081515 mentioned this in T140207: Consider alternative processes for Unbreak Now bugs, especially those which cross-cut components.Jul 13 2016, 7:39 PM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits