Page MenuHomePhabricator
Create Task
Maniphest T395528

Dropped Security Patches in Wikimedia Production
Closed, ResolvedPublicSecurity
Actions

Description

Something appears to have happened between the branch cut from from 1.45.0-wmf.1 to 1.45.0-wmf.2 and 1.45.0-wmf.3 in /srv/patches on deployment:

  1. The 5 core patches under 1.45.0-wmf.1 appear to have been reverted to previous versions and the 05-T394396.patch was accidentally dropped and has not been deployed to 1.45.0-wmf.2 and 1.45.0-wmf.3. I've corrected the core patches under /srv/patches in d7f4f9afae and will re-deploy 05-T394396.patch shortly. I can't see anything obvious in the commits so I don't know if this was a timing issue/race condition or if there is perhaps some issue with mwpresync? I had done the basic restructuring and added some CheckUser patches in 118715f522 (Mon May 19 21:03:49 2025 +0000) which seems to have then been overridden by the time /srv/patches/1.45.0-wmf.2 was prepped.
  2. The aforementioned CheckUser patches from 118715f522 were also seemingly dropped and then were not deployed to 1.45.0-wmf.2 and 1.45.0-wmf.3. @Dreamy_Jazz noticed this and has since re-added the patches and re-deployed them to 1.45.0-wmf.2 and 1.45.0-wmf.3.

Details

Risk Rating
High
Author Affiliation
WMF Technology

Event Timeline

sbassett created this task.May 29 2025, 1:20 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 29 2025, 1:20 AM
sbassett added a project: Release-Engineering-Team.May 29 2025, 1:21 AM
sbassett added a subscriber: Reedy.
sbassett added a subscriber: dancy.
sbassett updated the task description. (Show Details)May 29 2025, 1:23 AM
sbassett added a comment.EditedMay 29 2025, 1:26 AM

/srv/patches fixes: https://sal.toolforge.org/log/l8ilGZcB8tZ8Ohr0LyVW

Re-deploy 05-T394396.patch to 1.45.0-wmf.2: https://sal.toolforge.org/log/m6avGZcBvg159pQrnAWo

Re-deploy 05-T394396.patch to 1.45.0-wmf.3: https://sal.toolforge.org/log/Vsi6GZcB8tZ8Ohr0GDA7

sbassett updated the task description. (Show Details)May 29 2025, 1:29 AM
sbassett updated the task description. (Show Details)May 29 2025, 1:58 AM
sbassett updated the task description. (Show Details)
sbassett closed this task as Resolved.Jun 2 2025, 4:30 PM
sbassett claimed this task.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a project: SecTeam-Processed.

Everything related to this issue has been fixed, resolving for now. I think we (Security-Team et al) just need to be careful about making updates to anything under /srv/patches from Friday night through Monday morning, given the timing around @SecurityPatchBot's work.

sbassett triaged this task as High priority.Jun 2 2025, 4:30 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to High.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits