Page MenuHomePhabricator
Create Task
Maniphest T290808

Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148)
Closed, ResolvedPublicSecurity
Actions

Description

NOTE: Public tracking task for this incident exists as T290856.

I just realized that with introducing securepoll-related user groups to testwiki _and_ allowing bureaucrats to grant them, we effectively allowed testwiki's bureaucrats to grant users access to confidential information. That's because SecurePoll election admins can see IP addresses and user agents of voters in "their" elections".

SecurePoll requires admins to be both in electionadmin group as well as be added as an admin to the particular election in order to be able to view private details. So this doesn't mean that bureaucrats can arbitrarily view PII of voters in all elections. PII is also hidden from all users 60 days after the election has ended on all wikis.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Urbanecm added a subscriber: taavi.Sep 11 2021, 6:59 PM

Adding @majavah, who correctly described the cause for removing in a private message.

Urbanecm added a comment.Sep 11 2021, 7:02 PM
21:02 <+logmsgbot> !log urbanecm@deploy1002 Synchronized wmf-config/InitialiseSettings.php: 27814b8eaacb5ba2fee1b6167a36ea14356a1ecf: testwiki: Fully remove securepoll-related groups (T290808) (duration: 00m 57s)
21:02 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Fixed the removal of the groups.

Ladsgroup added a comment.Sep 11 2021, 7:12 PM

It might be going on way before the main ticket.

E.g. the non-NDA'ed user has created an election before T277353#7223260 (with id of 701, it doesn't have a vote in it). I think this needs to be looked at in more depth with someone more knowledgeable about SecurePoll.

Urbanecm added a project: Anti-Harassment.Sep 11 2021, 7:19 PM

Tagging AHT as the maintainers of the extension.

Ladsgroup added a comment.Sep 11 2021, 7:23 PM

Sorry I keep coming up with notes. One thing is that signing an NDA doesn't mean the user can be trusted with private data. For example we have had a user who signed an NDA but globally locked. Handing out this right should have been done way more carefully.

Urbanecm added a comment.Sep 11 2021, 7:31 PM
In T290808#7346549, @Ladsgroup wrote:

Sorry I keep coming up with notes. One thing is that signing an NDA doesn't mean the user can be trusted with private data. For example we have had a user who signed an NDA but globally locked. Handing out this right should have been done way more carefully.

I strongly agree with this. Usually, rights that require NDA-level access are handed out by the stewards or T&S, and I think this would be an appropriate setup in testwiki's case as well. We'd need to figure out some criteria to be eligible for access (as voting makes no sense for testwiki).

RLazarus subscribed.Sep 11 2021, 7:56 PM
Urbanecm mentioned this in T290856: SecurePoll's management groups were removed from testwiki [public].Sep 13 2021, 11:00 AM
Urbanecm updated the task description. (Show Details)Sep 13 2021, 11:03 AM
phuedx added a comment.EditedSep 13 2021, 11:57 AM
In T290808#7346549, @Ladsgroup wrote:

Handing out this right should have been done way more carefully.

Yes.

In T290808#7346535, @Ladsgroup wrote:

So assuming securepoll logging is correct. The non-NDA'ed user has created one election (with id of 805) and accessed its logs four times. I can only see one vote in that particular election which is the user himself

select vote_voter_name from securepoll_votes where vote_election = 805;
+-----------------+
| vote_voter_name |
+-----------------+
| 4nn1l2          |
+-----------------+
1 row in set (0.00 sec)

so it means there is no leaked data unless:

  • An election admin can look at other elections or

You are considered an admin of a particular election if you are a member of the electionadmin group and in the list of admins for that particular election (see https://gerrit.wikimedia.org/g/mediawiki/extensions/SecurePoll/+/5b31db7e97d399b00370620e0fe296f43cf94501/includes/Entities/Election.php#357).

You may only list the confidential information of voters in an election if you are an admin of that particular election (see https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/SecurePoll/+/refs/heads/master/includes/Pages/ListPager.php#48).

That user is only an admin for two elections, the IDs of which you've already noted:

select el_entity from securepoll_elections join securepoll_properties on el_entity = pr_entity where pr_key = 'admins' and pr_value like '%4nn1l2%';
+-----------+
| el_entity |
+-----------+
|       805 |
|       701 |
+-----------+
2 rows in set (0.00 sec)

<edit>

and only 1 vote was cast across both of those elections:

select count(*) from securepoll_votes where vote_election in (805, 701);
+----------+
| count(*) |
+----------+
|        1 |
+----------+
1 row in set (0.001 sec)

</edit>

  • Some votes have been removed this election or

AFAICT only the cli/generateTestElection.php maintenance script deletes rows from the securepoll_votes table (i.e. votes that are struck remain in the table).

  • There are more than one user without NDA in that list
phuedx added a comment.EditedSep 13 2021, 11:59 AM

I should also say thank you, @Ladsgroup, @Urbanecm, and @Majavah, for catching this and acting on a Saturday.

akosiaris subscribed.Sep 13 2021, 1:35 PM
sbassett triaged this task as Low priority.Sep 13 2021, 3:43 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.
In T290808#7348051, @phuedx wrote:

I should also say thank you, @Ladsgroup, @Urbanecm, and @Majavah, for catching this and acting on a Saturday.

Yes, thanks for the quick response and revert/deploy of the config patch. It seems like there do not appear to be any concerns over user 4nn1l2's limited (and now removed) access at this time. The Security-Team will throw this into our watching column for now, but I don't see any immediately actionable items on this task for us, unless anyone would like to consult about potential options going forward, though Anti-Harassment likely have far more SecurePoll domain knowledge at this point.

sbassett added a project: SecTeam-Processed.Sep 13 2021, 3:45 PM
Ladsgroup added a comment.Sep 13 2021, 6:16 PM

I understand this didn't have a breach of private information but it was pretty close to it. It would be great to have several layers of checks to make sure such close calls won't happen again. Our luck will run out one day.

Urbanecm added a subscriber: Niharika.Sep 13 2021, 6:50 PM

@sbassett I think "someone" should help with those things:

  • Do we need someone to formally declare "no infoleak happened" (if Ladsgroup's understanding is correct)?
  • Draft next steps for re-enabling the group at testwiki
    • This should probably include a substep "Create process for becoming an electionadmin at testwiki"
  • Make it more obvious that securepoll's electionadmin group grants access to PII (maybe create a proper right, like securepoll-view-votes and securepoll-view-ip-for-votes, to make it more obvious in the patch that PII is involved?) I think Anti-Harassment can help with this part (CC @Niharika)
  • Figure out what to do to notice similar issues sooner. Maybe we should have a list of PII-enabled groups and alerting if someone without a NDA is added?

I'm not sure if Security-Team would be the right team to help with those items, or some other team at the WMF.

phuedx added a comment.Sep 14 2021, 12:14 PM
In T290808#7349572, @Urbanecm wrote:
  • Draft next steps for re-enabling the group at testwiki
    • This should probably include a substep "Create process for becoming an electionadmin at testwiki"

An alternative to testing SecurePoll on testwiki might be to create and maintain an installation using Cloud VPS. This would short-circuit that particular conversation at the cost of increased maintenance burden.

  • Make it more obvious that securepoll's electionadmin group grants access to PII (maybe create a proper right, like securepoll-view-votes and securepoll-view-ip-for-votes, to make it more obvious in the patch that PII is involved?) I think Anti-Harassment can help with this part (CC @Niharika)

This is a great suggestion. securepoll-view-ip-for-votes or securepoll-view-voter-ips would be preferable here as they are clearer about the nature of the information that the right gives the user access to. I can create a task to capture this once this task is made public.

Perhaps adding a note (or notes) to https://test.wikipedia.org/wiki/Wikipedia:Requests might be worthwhile as well.

phuedx updated the task description. (Show Details)Sep 14 2021, 12:27 PM
phuedx added a subscriber: STran.Sep 14 2021, 6:07 PM
Ladsgroup added a comment.Sep 14 2021, 7:06 PM
In T290808#7351689, @phuedx wrote:
In T290808#7349572, @Urbanecm wrote:
  • Draft next steps for re-enabling the group at testwiki
    • This should probably include a substep "Create process for becoming an electionadmin at testwiki"

An alternative to testing SecurePoll on testwiki might be to create and maintain an installation using Cloud VPS. This would short-circuit that particular conversation at the cost of increased maintenance burden.

Beta cluster seems like a good candidate for it.

sbassett added a subscriber: Dsharpe.Sep 15 2021, 8:12 PM
In T290808#7349572, @Urbanecm wrote:
  • Do we need someone to formally declare "no infoleak happened" (if Ladsgroup's understanding is correct)?

IMO, we can likely safely say this is the case, per @Ladsgroup's findings in T290808#7346535. I'm not sure there's much else the Security-Team (or anyone else) could audit here? We don't really have secret security logs with more wide-ranging data for cases like this. Ping @Dsharpe to confirm.

  • Draft next steps for re-enabling the group at testwiki
    • This should probably include a substep "Create process for becoming an electionadmin at testwiki"
  • Make it more obvious that securepoll's electionadmin group grants access to PII (maybe create a proper right, like securepoll-view-votes and securepoll-view-ip-for-votes, to make it more obvious in the patch that PII is involved?) I think Anti-Harassment can help with this part (CC @Niharika)

These sound like good ideas that the SecurePoll maintainers should further discuss and implement.

  • Figure out what to do to notice similar issues sooner. Maybe we should have a list of PII-enabled groups and alerting if someone without a NDA is added?

That could work as a risk-reducing mitigation. Maybe somewhere in UserrightsPage::doSaveUserGroups?

Urbanecm added a comment.Sep 15 2021, 8:57 PM
In T290808#7357037, @sbassett wrote:
In T290808#7349572, @Urbanecm wrote:
  • Do we need someone to formally declare "no infoleak happened" (if Ladsgroup's understanding is correct)?

IMO, we can likely safely say this is the case, per @Ladsgroup's findings in T290808#7346535. I'm not sure there's much else the Security-Team (or anyone else) could audit here? We don't really have secret security logs with more wide-ranging data for cases like this. Ping @Dsharpe to confirm.

I meant "give an authoritative interpretation of the data" rather than "add more data", sorry if that wasn't clear. I don't think that this call should be made by me :-).

Dsharpe added a comment.Sep 15 2021, 9:52 PM

Here is how I see matters like this: if we looked at everything we could reasonably think of and found no evidence of a leak, then a leak did not happen. That sounds exactly like the situation here. No leak happened.

Does anyone need anything else from me for this matter?

Ladsgroup added a comment.Sep 16 2021, 9:41 AM
In T290808#7357118, @Urbanecm wrote:
In T290808#7357037, @sbassett wrote:
In T290808#7349572, @Urbanecm wrote:
  • Do we need someone to formally declare "no infoleak happened" (if Ladsgroup's understanding is correct)?

IMO, we can likely safely say this is the case, per @Ladsgroup's findings in T290808#7346535. I'm not sure there's much else the Security-Team (or anyone else) could audit here? We don't really have secret security logs with more wide-ranging data for cases like this. Ping @Dsharpe to confirm.

I meant "give an authoritative interpretation of the data" rather than "add more data", sorry if that wasn't clear. I don't think that this call should be made by me :-).

One would be a script that gets run daily and checks members of any group that has access to confidentional information against the meta page.

It clearly is not enough, having volunteer-NDA doesn't mean the person is trusted as exampled above.

phuedx added a comment.Sep 20 2021, 12:52 PM
In T290808#7351689, @phuedx wrote:
In T290808#7349572, @Urbanecm wrote:
  • Make it more obvious that securepoll's electionadmin group grants access to PII (maybe create a proper right, like securepoll-view-votes and securepoll-view-ip-for-votes, to make it more obvious in the patch that PII is involved?) I think Anti-Harassment can help with this part (CC @Niharika)

T290808.patch2 KBDownload

The above patch introduces a check for the securepoll-view-voter-pii right before showing the fields containing PII.

Niharika added a project: MediaWiki-extensions-SecurePoll.Sep 21 2021, 8:43 PM
Niharika moved this task from Untriaged to Tracking work by others on the Anti-Harassment board.
sbassett moved this task from Watching to Security Patch To Deploy on the Security-Team board.Sep 29 2021, 7:15 PM
Niharika added a subscriber: ARamirez_WMF.Oct 27 2021, 6:01 PM
Aklapper added a comment.Oct 31 2021, 7:09 AM

Could this ticket see some progress, please? Thanks a lot! :)

Mstyles subscribed.Nov 1 2021, 9:12 PM

@phuedx could you please have someone else review your patch so that the security team can move forward and deploy it?

Urbanecm added a comment.Nov 1 2021, 9:28 PM

Based on a quick look, it looks good to me. I confirmed with a scrutineer of an ongoing election that they were not able to see PII until I made the config change to assign the right to votewiki election admins.

Sec patch deployed.

Urbanecm added a subscriber: Tks4Fish.Nov 1 2021, 9:31 PM
22:28 <+logmsgbot> !log urbanecm@deploy1002 Synchronized wmf-config/InitialiseSettings.php: 8f5008d9a043c96cd1dba18bdb38e168b01d63d0: votewiki: Grant election admins securepoll-view-voter-pii (T290808) (duration: 00m 55s)
22:28 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log
22:30 <urbanecm> !log Deploy a security patch for T290808
22:30 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

@Tks4Fish mentioned PII moved to the end of the table. They said it's not a big deal, but @phuedx, maybe changing it to follow the previous layout is not a big issue?

sbassett added a comment.Nov 2 2021, 2:48 PM

@Urbanecm - thanks for the deploy, tracking at T292236 and T276237 now.

sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.Nov 2 2021, 2:49 PM
sbassett mentioned this in T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).
phuedx added a comment.Nov 3 2021, 4:53 PM
In T290808#7473300, @Urbanecm wrote:

@Tks4Fish mentioned PII moved to the end of the table. They said it's not a big deal, but @phuedx, maybe changing it to follow the previous layout is not a big issue?

Thanks for deployment, @Urbanecm. You're right that it's not a big issue to fix. I'll take a look.

Reedy added a parent task: T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Nov 3 2021, 6:41 PM
Reedy changed the task status from Open to In Progress.Nov 3 2021, 6:45 PM
Urbanecm added a subscriber: Reedy.Nov 7 2021, 8:06 PM

@sbassett @Reedy @phuedx Hello, any objections to making this public? AFAICS, only a cosmetic change is pending now.

phuedx added a comment.Nov 8 2021, 2:35 PM
In T290808#7488103, @Urbanecm wrote:

@sbassett @Reedy @phuedx Hello, any objections to making this public? AFAICS, only a cosmetic change is pending now.

None from my side.

sbassett added a comment.Nov 8 2021, 9:30 PM
In T290808#7488103, @Urbanecm wrote:

@sbassett @Reedy @phuedx Hello, any objections to making this public? AFAICS, only a cosmetic change is pending now.

Given the findings from T290808#7346535, I think we're likely fine to make this public, but I'd defer to @Dsharpe one more time just in case he sees something that I do not.

Urbanecm added a comment.Nov 29 2021, 4:17 PM
In T290808#7490954, @sbassett wrote:
In T290808#7488103, @Urbanecm wrote:

@sbassett @Reedy @phuedx Hello, any objections to making this public? AFAICS, only a cosmetic change is pending now.

Given the findings from T290808#7346535, I think we're likely fine to make this public, but I'd defer to @Dsharpe one more time just in case he sees something that I do not.

Any update?

sbassett added a comment.EditedNov 29 2021, 4:56 PM
In T290808#7534343, @Urbanecm wrote:

Any update?

Yep, the Security-Team just chatted about this. It's fine to open this up. This is already tracked for the supplemental, could use backports though.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 29 2021, 4:57 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Xaosflux subscribed.Dec 5 2021, 1:41 AM
Zabe subscribed.Dec 6 2021, 1:40 PM
4nn1l2 subscribed.EditedDec 6 2021, 4:45 PM

It was funny reading this :)

While I, as a non-paid volunteer, have been working hard helping the Anti-Harassment team and @Niharika implement Meek STV for WMF elections

https://www.mediawiki.org/wiki/Topic:Wdnlzj4xzf0ardcd

https://commons.wikimedia.org/wiki/File:Scottish_STV,_MediaWiki_SecurePoll_example.svg

https://www.mediawiki.org/w/index.php?title=Anti-Harassment_Tools/SecurePoll_Improvements/Understanding_the_STV_result&action=history

T288185

https://meta.wikimedia.org/w/index.php?title=Wikimedia_Foundation_elections/2021/Results&diff=prev&oldid=21993043

https://meta.wikimedia.org/wiki/Talk:Movement_Charter/Drafting_Committee/Elections#Heads_up_for_alternates

https://meta.wikimedia.org/w/index.php?title=Movement_Charter/Drafting_Committee/Elections/Results&diff=prev&oldid=22358958

some other people have been concerned about leaking or breaching private data by bad actors!

I don't need anyone's private data and have signed NDA as a former VRT agent. (I know, I know there are multiple NDAs, no need to mention that, but you should use correct terminology yourselves).

Hope you let innocent users play with SecurePoll on testwiki again. That really helps developing things. Users still cannot test SecurePoll on testwiki and that is frustrating: T277353#7234897

Huji subscribed.Dec 6 2021, 5:02 PM

While this discussion is gathering people's attention, may I remind this important security gap: T152972: Accessing private information through SecurePoll should be logged

Huji added a comment.Dec 6 2021, 10:27 PM
In T290808#7550272, @4nn1l2 wrote:

It was funny reading this :)

While I, as a non-paid volunteer, have been working hard helping the Anti-Harassment team and @Niharika implement Meek STV for WMF elections

https://www.mediawiki.org/wiki/Topic:Wdnlzj4xzf0ardcd

https://commons.wikimedia.org/wiki/File:Scottish_STV,_MediaWiki_SecurePoll_example.svg

https://www.mediawiki.org/w/index.php?title=Anti-Harassment_Tools/SecurePoll_Improvements/Understanding_the_STV_result&action=history

T288185

https://meta.wikimedia.org/w/index.php?title=Wikimedia_Foundation_elections/2021/Results&diff=prev&oldid=21993043

https://meta.wikimedia.org/wiki/Talk:Movement_Charter/Drafting_Committee/Elections#Heads_up_for_alternates

https://meta.wikimedia.org/w/index.php?title=Movement_Charter/Drafting_Committee/Elections/Results&diff=prev&oldid=22358958

some other people have been concerned about leaking or breaching private data by bad actors!

I don't need anyone's private data and have signed NDA as a former VRT agent. (I know, I know there are multiple NDAs, no need to mention that, but you should use correct terminology yourselves).

Hope you let innocent users play with SecurePoll on testwiki again. That really helps developing things. Users still cannot test SecurePoll on testwiki and that is frustrating: T277353#7234897

You shouldn't take it personally, @4nn1l2. It is not about you. This could have happened with another person who is not as well intended. A safety flaw is a safety flaw, no matter the outcome. In fact, focusing on the outcome is a known mistake (called outcome bias) and what I gather from above is that ultimately the team is aware of it. It shows where @Ladsgroup says "our luck will run out one day".

Huji added a comment.Dec 6 2021, 10:31 PM

@Urbanecm in the task description you said "... we effectively allowed testwiki's bureaucrats to grant users access to confidential information".

Isn't that part of the problem? Shouldn't $wgGrantPermissions be overwritten in InitialiseSettings.php to ensure that only stewards can assign electionadmin right on WMF production wikis?

gerritbot added a comment.Dec 7 2021, 6:01 AM

Change 744669 had a related patch set uploaded (by Urbanecm; author: Phuedx):

[mediawiki/extensions/SecurePoll@master] SECURITY: Require securepoll-view-voter-pii right to view voter's PII

https://gerrit.wikimedia.org/r/744669

gerritbot added a project: Patch-For-Review.Dec 7 2021, 6:01 AM
gerritbot added a comment.Dec 7 2021, 6:04 AM

Change 743940 had a related patch set uploaded (by Urbanecm; author: Phuedx):

[mediawiki/extensions/SecurePoll@REL1_37] SECURITY: Require securepoll-view-voter-pii right to view voter's PII

https://gerrit.wikimedia.org/r/743940

Urbanecm added a comment.Dec 7 2021, 6:13 AM
In T290808#7551597, @Huji wrote:

@Urbanecm in the task description you said "... we effectively allowed testwiki's bureaucrats to grant users access to confidential information".

Isn't that part of the problem? Shouldn't $wgGrantPermissions be overwritten in InitialiseSettings.php to ensure that only stewards can assign electionadmin right on WMF production wikis?

Not necessarily. For votewiki, this risk pretty much doesn't exist -- we trust votewiki bureaucrats for this kind of a task. It was only an issue for wikis where bureaucrats have no connection with handling PII. Honestly, I don't think we need stewards to act as a rubber stamp for WMF staff managing securepoll elections and while the new rule you mention could have a votewiki-specific exemption, I'm pretty sure people trying to enable creating pools on new wikis will...try to copy votewiki config :)).

I think a better solution is implemented in the security patch deployed as part of this task (see the one I just merged to master), which requires users having securepoll-view-voter-pii in addition to being election admins before they're allowed to view PII. That right should make it pretty obvious that you're adding PII access, and I believe a change like https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/736067 will not pass review for testwiki (at least not without someone asking questions "are we sure letting users to access PII is a good idea").

Of course, we should have more layers of defense for this. One of the ideas could be to construct a list of PII accessing groups, and audit users for NDA membership regularly. If an issue is found, it can notify...someone (stewards+T&S sound like a reasonable first choice for me).

gerritbot added a comment.Dec 7 2021, 6:14 AM

Change 744669 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] SECURITY: Require securepoll-view-voter-pii right to view voter's PII

https://gerrit.wikimedia.org/r/744669

Urbanecm mentioned this in T152972: Accessing private information through SecurePoll should be logged.Dec 7 2021, 6:32 AM
ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.13; 2021-12-13).Dec 7 2021, 8:00 AM
gerritbot added a comment.Dec 7 2021, 9:25 AM

Change 744761 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/SecurePoll@master] Fully add new securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/744761

gerritbot added a comment.Dec 8 2021, 10:56 AM

Change 744761 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] Fully add new securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/744761

gerritbot added a comment.Dec 14 2021, 6:56 PM

Change 743940 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_37] SECURITY: Require securepoll-view-voter-pii right to view voter's PII

https://gerrit.wikimedia.org/r/743940

gerritbot added a comment.Dec 14 2021, 6:59 PM

Change 747076 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/SecurePoll@REL1_37] Fully add new securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/747076

gerritbot added a comment.Dec 15 2021, 2:08 PM

Change 747513 had a related patch set uploaded (by Phuedx; author: Phuedx):

[mediawiki/extensions/SecurePoll@master] listPager: Restore original field order

https://gerrit.wikimedia.org/r/747513

gerritbot added a comment.Dec 21 2021, 5:44 PM

Change 749228 had a related patch set uploaded (by SBassett; author: Phuedx):

[mediawiki/extensions/SecurePoll@REL1_35] SECURITY: Require securepoll-view-voter-pii right to view voter's PII

https://gerrit.wikimedia.org/r/749228

gerritbot added a comment.Dec 21 2021, 5:45 PM

Change 749229 had a related patch set uploaded (by SBassett; author: Phuedx):

[mediawiki/extensions/SecurePoll@REL1_36] SECURITY: Require securepoll-view-voter-pii right to view voter's PII

https://gerrit.wikimedia.org/r/749229

gerritbot added a comment.Dec 21 2021, 9:52 PM

Change 749228 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_35] SECURITY: Require securepoll-view-voter-pii right to view voter's PII

https://gerrit.wikimedia.org/r/749228

gerritbot added a comment.Dec 21 2021, 9:52 PM

Change 749229 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_36] SECURITY: Require securepoll-view-voter-pii right to view voter's PII

https://gerrit.wikimedia.org/r/749229

sbassett removed a parent task: T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Dec 23 2021, 5:16 PM
sbassett added a parent task: T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Dec 23 2021, 5:25 PM
gerritbot added a comment.Jan 2 2022, 4:11 PM

Change 749885 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/SecurePoll@REL1_36] Fully add new securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/749885

gerritbot added a comment.Jan 2 2022, 4:13 PM

Change 750806 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/SecurePoll@REL1_35] Fully add new securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/750806

mmartorana renamed this task from Users with no NDA can access confidential information at testwiki's SecurePoll instance to Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148).Jan 10 2022, 5:03 PM
mmartorana closed this task as Resolved.Jan 10 2022, 6:40 PM
mmartorana assigned this task to phuedx.
gerritbot added a comment.Jan 17 2022, 12:02 AM

Change 747076 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_37] Fully add new securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/747076

gerritbot added a comment.Jan 17 2022, 12:06 AM

Change 749885 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_36] Fully add new securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/749885

gerritbot added a comment.Jan 17 2022, 12:07 AM

Change 750806 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_35] Fully add new securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/750806

WormTT subscribed.Oct 3 2022, 2:18 PM
jrbs mentioned this in T335201: Investigation: What needs to change to allow local wikis to run their own elections?.Apr 26 2023, 9:05 PM
Johannnes89 subscribed.Apr 5 2024, 6:41 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL