Page MenuHomePhabricator
Create Task
Maniphest T208258

CVE-2018-1000656 in ores and wikilabels
Closed, ResolvedPublic
Actions

Description

More info. It can be used as a DDoS vector.
Upgrading to flask 0.12.3 would solve it

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Bump ores and wheels to HEADmediawiki/services/ores/deploymaster+24 -24
Rebuild wheels for new flask and celery 4research/ores/wheelsmaster+0 -0
Bumps flask to 0.12.4research/ores/wheelsmaster+0 -0
Customize query in gerrit

Related Objects

Event Timeline

Ladsgroup created this task.Oct 29 2018, 7:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 29 2018, 7:38 PM
Ladsgroup claimed this task.Oct 29 2018, 7:39 PM
Ladsgroup added a project: Machine-Learning-Team (Active Tasks).
Ladsgroup added subscribers: Halfak, awight.
Restricted Application added a project: User-Ladsgroup. · View Herald TranscriptOct 29 2018, 7:39 PM
Ladsgroup triaged this task as High priority.Oct 29 2018, 7:42 PM
Aklapper added projects: Wikilabels, ORES.Oct 29 2018, 9:13 PM
Ladsgroup merged a task: Restricted Task.Oct 30 2018, 11:43 AM
Ladsgroup added a subscriber: hashar.
Ladsgroup added a comment.Oct 30 2018, 8:55 PM

https://github.com/wikimedia/wikilabels/pull/250
First part.

Ladsgroup mentioned this in rORES91421c97ee1d: Upgrade to flask 0.12.4.Oct 30 2018, 9:04 PM
Ladsgroup moved this task from Parked to Review on the Machine-Learning-Team (Active Tasks) board.Oct 30 2018, 9:05 PM

https://github.com/wikimedia/ores/pull/277
ores ^

Ladsgroup added a comment.Oct 31 2018, 2:01 PM

wikilabels is deployed, ores is waiting for review.

Ladsgroup moved this task from Backlog / Other to Other WMF team on the acl*security board.Oct 31 2018, 5:43 PM
Ladsgroup moved this task from Review to Pending deployment on the Machine-Learning-Team (Active Tasks) board.Oct 31 2018, 5:46 PM
Ladsgroup mentioned this in rORESDEPLOY70ba14b5bc80: Bump ores and wheels to HEAD.Oct 31 2018, 6:29 PM
Halfak mentioned this in rORESWHEELS74c8608a924f: Bumps flask to 0.12.4.Oct 31 2018, 8:21 PM
Ladsgroup mentioned this in rORESWHEELS4ab0f16dcb94: Rebuild wheels for new flask and celery 4.Oct 31 2018, 8:21 PM
Ladsgroup moved this task from Pending deployment to Completed on the Machine-Learning-Team (Active Tasks) board.Nov 1 2018, 9:34 AM
Ladsgroup changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 1 2018, 9:45 AM

It's in production.

Ladsgroup closed this task as Resolved.Nov 1 2018, 8:00 PM
Halfak mentioned this in rORESWHEELS1465937fb30c: Bumps flask to 0.12.4 Bug: T208258 Change-Id….Nov 7 2018, 6:36 PM
Ladsgroup mentioned this in rORESWHEELSaba5578b8bfe: Rebuild wheels for new flask and celery 4 Bug: T208258 Bug: T178441 Change-Id….Nov 7 2018, 6:36 PM
Ladsgroup mentioned this in rORESWHEELS01cb1c57c313: Rebuild wheels for new flask and celery 4 Bug: T208258 Bug: T178441 Change-Id….Nov 7 2018, 7:20 PM
Halfak mentioned this in rORESWHEELS2bda34f78921: Bumps flask to 0.12.4 Bug: T208258 Change-Id….Nov 7 2018, 7:20 PM
chasemp added a project: Security.Feb 10 2020, 10:54 PM
Maintenance_bot moved this task from Incoming to Done on the User-Ladsgroup board.Feb 10 2020, 11:15 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits