Page MenuHomePhabricator
Create Task
Maniphest T284486

Story idea for Blog: Discovering and fixing CVE-2021-33038 in Mailman3
Closed, ResolvedPublic
Actions

Description

Please provide the following information.

  • Provide a short summary of your proposed post for the Wikimedia Technical Blog. Blog readers will see this as the preview to your post:

During Wikimedia's Mailman3 migration, we discovered and fixed a security issue that would have disclosed the contents of private list archives during the import process. This post explains the issue, how we discovered it and how it was fixed.

Technical explanation: problem / solution

  • Which audience or audiences do you think your post is appropriate for?:

People interested in Mailman, our migration or general security issues

  • Will you need assistance with writing your blog post, or do you already have a draft? If you have a draft, please provide a link here:

https://www.mediawiki.org/wiki/User:Legoktm/Blog/CVE-2021-33038

  • Does your post need to be published by a certain date?

no

I didn't, maybe something from https://commons.wikimedia.org/wiki/Category:Airmail or a related category?

  • Do you have any other questions or comments?

cc @Majavah @Ladsgroup and @Urbanecm since I mentioned them in the post

Related Objects

Event Timeline

Legoktm created this task.Jun 7 2021, 5:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2021, 5:49 PM
Maintenance_bot added a project: SRE.Jun 7 2021, 6:45 PM
RhinosF1 subscribed.Jun 7 2021, 7:09 PM
Ladsgroup awarded a token.Jun 7 2021, 11:20 PM

We should write a blog post about the upgrade in general too. Maybe later.

Aklapper awarded a token.Jun 8 2021, 9:44 AM
taavi awarded a token.Jun 8 2021, 1:28 PM
srodlund added a comment.Jun 8 2021, 8:42 PM

@Legoktm Great! Thank you for sharing this! It should be pretty straightforward to publish this in the blog!

I am going to move a draft of this over to the blog and do a round of light copyediting, then share a version of it for you to approve before I publish.

For images, I found a number having to do with mailboxes and stamps. Do you like any of these?

https://commons.wikimedia.org/wiki/File:New_Rochelle_Post_Office;_PO_Boxes-2.jpg (I like this one)
https://commons.wikimedia.org/wiki/File:Victorian_Penfold_Postbox_JE2_4WX.jpg
https://commons.wikimedia.org/wiki/File:Mailbox_in_Mergoscia.JPG
https://commons.wikimedia.org/wiki/File:Mailboxes_in_Greeley_Hill,_California.jpg (I also like this one)
https://commons.wikimedia.org/wiki/File:PO-Boxes.jpg
https://commons.wikimedia.org/wiki/File:Lindbergh_Airmail_Stamp_c10.jpg
https://commons.wikimedia.org/wiki/File:Us_airmail_stamp_C74.jpg

srodlund added a comment.Jun 8 2021, 8:42 PM
In T284486#7140701, @Ladsgroup wrote:

We should write a blog post about the upgrade in general too. Maybe later.

@Ladsgroup YES!

srodlund moved this task from Backlog to Needs review on the Technical-blog-posts board.Jun 8 2021, 8:43 PM
srodlund added a comment.Jun 9 2021, 4:43 PM

@Legoktm I moved this over to the blog and prepped it for publication.

There were just a few minor issues with style and grammar that I fixed. I've attached a PDF so you can look over the text and general format of the post (I used one of the images I liked for this, but if you want me to change it out, I can).

If this looks good to you, let me know, and I'll publish it{F34488481}! :-)

Ladsgroup added a comment.Jun 9 2021, 6:22 PM

It's majestic <3

srodlund added a comment.Jun 11 2021, 2:00 PM

I haven't heard back from @Legoktm, but @Ladsgroup has had a chance to look it over. Since they are also CCd on the task, I went ahead and published the post to the blog.

You can find it here: https://techblog.wikimedia.org/2021/06/11/discovering-and-fixing-cve-2021-33038-in-mailman3/

If you need me to make any changes to the final post, let me know!

Ladsgroup added a comment.Jun 11 2021, 3:07 PM

Kunal is on vacation this week. I'm in no position to approve on his behalf but I'll try to reach out to him.

srodlund added a comment.Jun 11 2021, 3:59 PM

@Ladsgroup. Thanks! I'm going to go ahead and leave it published for now, as there aren't any major changes from the original that is already published on MW. If we want to switch the image later or make minor changes I can do that at any time. :-)

Legoktm added a comment.Jun 11 2021, 11:09 PM

Yay, thanks! @srodlund one small thing, could T281402 in the "Discovery" section link to the T281402 Phabricator task? Otherwise it looks great, I love the image too.

srodlund closed this task as Resolved.Jun 12 2021, 1:00 AM

Done! :-)

Legoktm added a subscriber: Krinkle.Jun 15 2021, 9:29 PM

@srodlund one more thing, in the 3rd paragraph, can we switch "Why we didn’t… ?" -> "Why didn’t we… ?" (spotted by @Krinkle)

srodlund added a comment.Jun 16 2021, 6:35 PM

Fixed!

JJMC89 moved this task from Backlog to Mailman v3 on the Wikimedia-Mailing-lists board.Feb 20 2024, 8:14 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits