Page MenuHomePhabricator
Feed Advanced Search

Wed, May 15

sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

Hey @WMDE-leszek - I am indeed on leave until June 10th. I believe the rest of the Security-Team is aware of this review, but if you don't hear any response this week, I might write to security-team@wikimedia.org and request an update on how a deployment might be affected. Our team meetings are typically held Tuesday mornings where items like this are evaluated as a team.

Wed, May 15, 7:50 PM · Security-Team-Review-Active
sbassett added a comment to T219831: Security Review For Kask.

Hey @Eevans - I'm officially on leave until June 10th, though I wanted to quickly follow up on a few things:

Wed, May 15, 7:43 PM · Security-Team-Review-Active, Services (watching), Core Platform Team Backlog (Watching / External), Core Platform Team (Session Management Service (CDP2)), User-Clarakosi, User-Eevans

Fri, May 10

sbassett updated subscribers of T219831: Security Review For Kask.

Security Review Summary - May 2019
Overall, the Kask application looks good, though I did not perform what I would consider an exhaustive analysis - see my findings below. If we were to solicit additional security analysis, I would recommend that the vendors focus specifically upon the http write (post, delete) methods of the service in addition to its authentication layers and perhaps performance.

Fri, May 10, 10:14 PM · Security-Team-Review-Active, Services (watching), Core Platform Team Backlog (Watching / External), Core Platform Team (Session Management Service (CDP2)), User-Clarakosi, User-Eevans
sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

@WMDE-leszek - Ack, it looks like all of these reports have gotten a bit worse? I see more potential and confirmed vulnerabilities in all of them. It seems some additional packages have been added (to fix the ReDoS and I imagine additional, non-security-related issues) which has increased the attack surface. For now I would still assign a risk of at least Medium/Moderate to this application if it were to be deployed within this state.

Fri, May 10, 7:28 PM · Security-Team-Review-Active

Thu, May 9

sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

@WMDE-leszek - sounds good and thanks for the update including the updated deployment timeline! I'll await the updated reports to review. And the openapi-request-validator length check looks good after cursory review.

Thu, May 9, 5:48 PM · Security-Team-Review-Active
sbassett updated the task description for T220517: Onboarding James Fishback to Security Team as Privacy Engineer (April 15th).
Thu, May 9, 4:57 PM · Security-Team
sbassett triaged T222910: Requesting access to deployment and analytics-privatedata-users for jfishback as Low priority.
Thu, May 9, 4:53 PM · SRE-Access-Requests, Operations, Security-Team
sbassett updated the task description for T222910: Requesting access to deployment and analytics-privatedata-users for jfishback.
Thu, May 9, 4:53 PM · SRE-Access-Requests, Operations, Security-Team
sbassett created T222910: Requesting access to deployment and analytics-privatedata-users for jfishback.
Thu, May 9, 4:53 PM · SRE-Access-Requests, Operations, Security-Team

Wed, May 8

sbassett renamed T222806: Security Review for Vega 5 and Vega-Lite JavaScript Libraries from Security review for vega 5 to Security Review for Vega 5 and Vega-Lite JavaScript Libraries.
Wed, May 8, 9:03 PM · JavaScript, Maps, Security-Team-Review-Active, Graphs
sbassett added a comment to T222806: Security Review for Vega 5 and Vega-Lite JavaScript Libraries.

@Yurik - I think we can probably just include Vega-Lite on this task. I can update the title and description.

Wed, May 8, 9:02 PM · JavaScript, Maps, Security-Team-Review-Active, Graphs
sbassett assigned T222806: Security Review for Vega 5 and Vega-Lite JavaScript Libraries to Bawolff.
Wed, May 8, 4:25 PM · JavaScript, Maps, Security-Team-Review-Active, Graphs

Tue, May 7

sbassett added a comment to T221907: Security Concept Review For Parsoid-PHP.

Ok, thanks, @ssastry. I suppose we (the Security-Team) can have a look at some of the code in /src, particularly the sanitizer code. Though as this isn't a code review (at least not yet) we probably won't get too deep in the weeds there. At some point, we should perform a more focused analysis and risk assessment, though we'd want to get to a more stable release point first.

Tue, May 7, 6:48 PM · Security-Team-Review-Active, Parsoid-PHP
sbassett added a comment to T221907: Security Concept Review For Parsoid-PHP.

@ssastry - looking at https://gerrit.wikimedia.org/r/q/project:mediawiki%252Fservices%252Fparsoid - are most of the patch sets here related to the new PHP-Parser development? Is there a specific start date or branch/topic we should be paying attention to right now for the new development? Or does master for mediawiki/services/parsoid fulfill that role right now? Trying to understand if it's worth the Security-Team's time to have a look at recent patch sets or if we should wait for a more stable release branch, etc. Thanks.

Tue, May 7, 5:30 PM · Security-Team-Review-Active, Parsoid-PHP

Mon, May 6

sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

@WMDE-leszek - I just wanted to check in and see if you or anyone else had any questions re: my responses above and if we have a better sense around the deployment timeline for this service. Note: I will be on leave from approximately May 13th to June 10th and will only be minimally checking in on work-related items.

Mon, May 6, 4:38 PM · Security-Team-Review-Active
sbassett awarded T222455: Change https://github.com/wikimedia/grantmetrics to https://github.com/wikimedia/eventmetrics for php-composer-security-docker a Like token.
Mon, May 6, 3:32 PM · Patch-For-Review, Continuous-Integration-Config
sbassett added a comment to T207246: Do a security audit of *.planet.wikimedia.org.

Re: privacy, the sites reference the standard Wikimedia PP. And while most resources seem to come from internal Wikimedia sites, some definitely do not (e.g. images within the Shocking tales from ornithology post on en.planet.wikimedia.org and a few others.)

Mon, May 6, 3:30 PM · Security-Team-Review-Active, Wikimedia-Planet
sbassett closed T25227: Use token when logging out as Resolved.

@Framawiki, @Ladsgroup, @Reedy - split "Turn logout link into a POST API call with refresh" and moved here: T222626. @Ladsgroup - will let you update patch set with new bug id. Resolving this task for now.

Mon, May 6, 3:14 PM · User-notice, MediaWiki-Authentication-and-authorization, Vuln-DoS, Security
sbassett closed T25227: Use token when logging out, a subtask of T11816: Improve security for Special:Userlogin (tracking), as Resolved.
Mon, May 6, 3:14 PM · MediaWiki-Authentication-and-authorization, Tracking-Neverending, MediaWiki-User-login-and-signup
sbassett triaged T222626: Turn logout link into a POST API call with refresh as Normal priority.
Mon, May 6, 3:12 PM · Patch-For-Review, Wikimedia-Hackathon-2019, User-Ladsgroup, MediaWiki-Authentication-and-authorization, Security
sbassett created T222626: Turn logout link into a POST API call with refresh.
Mon, May 6, 3:11 PM · Patch-For-Review, Wikimedia-Hackathon-2019, User-Ladsgroup, MediaWiki-Authentication-and-authorization, Security

Fri, May 3

sbassett changed the visibility for T222398: wikimedia/grantmetrics has vulnerable dependencies.
Fri, May 3, 4:59 PM · Community-Tech-Sprint, Security, Community-Tech, Event Metrics
sbassett added a comment to T222398: wikimedia/grantmetrics has vulnerable dependencies.

@MusikAnimal - sounds good, going to make this public.

Fri, May 3, 4:59 PM · Community-Tech-Sprint, Security, Community-Tech, Event Metrics
sbassett triaged T203651: Optimize phan-taint-check speed as Normal priority.
Fri, May 3, 4:20 PM · phan-taint-check-plugin
sbassett added a comment to T203651: Optimize phan-taint-check speed.

Yeah, that seems fairly quick to me. Obviously there are efficiency concerns here since this needs to run in CI, but 30 seconds doesn't seem so terrible imo. Of course if we ever try to get this working on core, that might be a different story. Do we know where AbuseFilter falls in terms of size/complexity for deployed extensions? I'd guess it's at least moderately complex.

Fri, May 3, 4:20 PM · phan-taint-check-plugin
sbassett changed the visibility for T222399: wikimedia/svgtranslate has vulnerable dependencies.
Fri, May 3, 3:14 PM · Community-Tech-Sprint, Community-Tech, Security
sbassett added a comment to T222399: wikimedia/svgtranslate has vulnerable dependencies.

Thanks, @MaxSem and @Samwilson.

Fri, May 3, 3:14 PM · Community-Tech-Sprint, Community-Tech, Security
sbassett added a comment to T222398: wikimedia/grantmetrics has vulnerable dependencies.

Thanks, @MaxSem. Bug filed (T222455) as it's still showing up as grantmetrics in the php-composer-security-docker config.

Fri, May 3, 3:11 PM · Community-Tech-Sprint, Security, Community-Tech, Event Metrics
sbassett renamed T222455: Change https://github.com/wikimedia/grantmetrics to https://github.com/wikimedia/eventmetrics for php-composer-security-docker from Change https://github.com/wikimedia/grantmetrics to https://github.com/wikimedia/eventmetrics for php-composer-security-docker= to Change https://github.com/wikimedia/grantmetrics to https://github.com/wikimedia/eventmetrics for php-composer-security-docker.
Fri, May 3, 3:09 PM · Patch-For-Review, Continuous-Integration-Config
sbassett created T222455: Change https://github.com/wikimedia/grantmetrics to https://github.com/wikimedia/eventmetrics for php-composer-security-docker.
Fri, May 3, 3:08 PM · Patch-For-Review, Continuous-Integration-Config

Thu, May 2

sbassett updated subscribers of T222399: wikimedia/svgtranslate has vulnerable dependencies.
Thu, May 2, 8:46 PM · Community-Tech-Sprint, Community-Tech, Security
sbassett triaged T222399: wikimedia/svgtranslate has vulnerable dependencies as Normal priority.
Thu, May 2, 8:45 PM · Community-Tech-Sprint, Community-Tech, Security
sbassett added a project to T222399: wikimedia/svgtranslate has vulnerable dependencies: Community-Tech.
Thu, May 2, 8:45 PM · Community-Tech-Sprint, Community-Tech, Security
sbassett updated the task description for T222398: wikimedia/grantmetrics has vulnerable dependencies.
Thu, May 2, 8:44 PM · Community-Tech-Sprint, Security, Community-Tech, Event Metrics
sbassett created T222399: wikimedia/svgtranslate has vulnerable dependencies.
Thu, May 2, 8:43 PM · Community-Tech-Sprint, Community-Tech, Security
sbassett updated the task description for T222398: wikimedia/grantmetrics has vulnerable dependencies.
Thu, May 2, 8:38 PM · Community-Tech-Sprint, Security, Community-Tech, Event Metrics
sbassett triaged T222398: wikimedia/grantmetrics has vulnerable dependencies as Normal priority.
Thu, May 2, 8:38 PM · Community-Tech-Sprint, Security, Community-Tech, Event Metrics
sbassett set Security to security-bug on T222398: wikimedia/grantmetrics has vulnerable dependencies.
Thu, May 2, 8:37 PM · Community-Tech-Sprint, Security, Community-Tech, Event Metrics
sbassett created T222398: wikimedia/grantmetrics has vulnerable dependencies.
Thu, May 2, 8:36 PM · Community-Tech-Sprint, Security, Community-Tech, Event Metrics
sbassett changed the visibility for T211731: wikimedia/grantmetrics has vulnerable dependencies.
Thu, May 2, 8:35 PM · Community-Tech, Event Metrics, Community-Tech-Sprint, Security
sbassett closed T222324: Unable to perform revision deletion on Commons as Resolved.
Thu, May 2, 5:48 PM · MW-1.34-notes (1.34.0-wmf.4; 2019-05-07), Performance, MediaWiki-Revision-deletion, Security
sbassett closed T222324: Unable to perform revision deletion on Commons, a subtask of T220728: 1.34.0-wmf.3 deployment blockers, as Resolved.
Thu, May 2, 5:48 PM · Release-Engineering-Team (Kanban), Release, Train Deployments
sbassett added a comment to T222324: Unable to perform revision deletion on Commons.

I'd be a little shocked if these two patches were causing the problem, especially since this seems to be intermittent/only affecting commons. Though I can't say it's impossible. We could revert the patches on wmf.3 and test commonswiki on mwdebug as you suggest, though I definitely don't have sufficient rights there to test.

Thu, May 2, 4:49 PM · MW-1.34-notes (1.34.0-wmf.4; 2019-05-07), Performance, MediaWiki-Revision-deletion, Security
sbassett added a comment to T222324: Unable to perform revision deletion on Commons.

@thcipriani - these are the two security patches that were deployed on Tuesday: T222036#5142596, T222038#5142604 (though not the -formatter patch.) These should only affect granular view permissions for certain revdel logs.

Thu, May 2, 4:00 PM · MW-1.34-notes (1.34.0-wmf.4; 2019-05-07), Performance, MediaWiki-Revision-deletion, Security

Tue, Apr 30

sbassett renamed T221868: Send out wikitech-l post for T25227 ("Use token when logging out") from Send out wikitech-l, wikitech-ambassadors posts for T25227 ("Use token when logging out") to Send out wikitech-l post for T25227 ("Use token when logging out").
Tue, Apr 30, 5:57 PM · MediaWiki-Authentication-and-authorization, Security
sbassett closed T221868: Send out wikitech-l post for T25227 ("Use token when logging out") as Resolved.

Done: https://lists.wikimedia.org/pipermail/wikitech-l/2019-April/092034.html

Tue, Apr 30, 5:56 PM · MediaWiki-Authentication-and-authorization, Security
sbassett closed T221868: Send out wikitech-l post for T25227 ("Use token when logging out"), a subtask of T25227: Use token when logging out, as Resolved.
Tue, Apr 30, 5:56 PM · User-notice, MediaWiki-Authentication-and-authorization, Vuln-DoS, Security
sbassett closed T104164: Routinely audit projects that use package.json with nodesecurity.io as Declined.
Tue, Apr 30, 5:49 PM · Security-General, Security
sbassett edited projects for T207246: Do a security audit of *.planet.wikimedia.org, added: Security-Team-Review-Active; removed Security-team-backlog, Security-Team-Reviews.
Tue, Apr 30, 5:25 PM · Security-Team-Review-Active, Wikimedia-Planet
sbassett claimed T219831: Security Review For Kask.
Tue, Apr 30, 5:20 PM · Security-Team-Review-Active, Services (watching), Core Platform Team Backlog (Watching / External), Core Platform Team (Session Management Service (CDP2)), User-Clarakosi, User-Eevans
sbassett updated the task description for T221907: Security Concept Review For Parsoid-PHP.
Tue, Apr 30, 5:19 PM · Security-Team-Review-Active, Parsoid-PHP
sbassett lowered the priority of T221907: Security Concept Review For Parsoid-PHP from Normal to Low.
Tue, Apr 30, 5:18 PM · Security-Team-Review-Active, Parsoid-PHP
sbassett lowered the priority of T217289: Security review: "Wikisource" extension from Normal to Lowest.
Tue, Apr 30, 5:12 PM · Security-Team-Review-Active, Wikisource
sbassett moved T221907: Security Concept Review For Parsoid-PHP from Backlog to Next (Ready) on the Security-Team-Reviews board.
Tue, Apr 30, 5:07 PM · Security-Team-Review-Active, Parsoid-PHP

Mon, Apr 29

sbassett added a comment to T221907: Security Concept Review For Parsoid-PHP.

Ok, thanks.

Mon, Apr 29, 3:32 PM · Security-Team-Review-Active, Parsoid-PHP
sbassett triaged T221907: Security Concept Review For Parsoid-PHP as Normal priority.
Mon, Apr 29, 2:59 PM · Security-Team-Review-Active, Parsoid-PHP
sbassett added a comment to T221907: Security Concept Review For Parsoid-PHP.

@ssastry - thanks for submitting this. I was just curious if there's a more concrete deployment date in mind than "Q1 2019/20". That would help us a bit more with our scheduling.

Mon, Apr 29, 2:59 PM · Security-Team-Review-Active, Parsoid-PHP
sbassett added a comment to T219831: Security Review For Kask.

@mobrovac et al - we should be able to get some initial analysis scheduled during our security review scrum tomorrow (April 30th) and follow up here. Again, this will most likely be a surface-level analysis of whatever is in master right now (which appears to be pretty stable at this point in time) and we should continue to explore supplemental review options from external vendors.

Mon, Apr 29, 2:57 PM · Security-Team-Review-Active, Services (watching), Core Platform Team Backlog (Watching / External), Core Platform Team (Session Management Service (CDP2)), User-Clarakosi, User-Eevans
sbassett moved T216419: Security review - Wikibase Termbox Front End from In Progress (Min Weekly Updates) to Waiting On Response/Mitigation on the Security-Team-Review-Active board.
Mon, Apr 29, 2:47 PM · Security-Team-Review-Active
sbassett added a comment to T216974: Update phan-taint-check-plugin to a newer phan (1.3.2).

I guess as long it's being pulled from a trusted repo like apt, it should be fine.

Mon, Apr 29, 2:23 PM · Patch-For-Review, phan-taint-check-plugin
sbassett added a comment to T216974: Update phan-taint-check-plugin to a newer phan (1.3.2).

A possible blocker for T218719 might be this, which is how releng/mediawiki-phan-seccheck builds it right now. To get to 1.0.1, we might have to use pecl or build it from source.

Mon, Apr 29, 2:11 PM · Patch-For-Review, phan-taint-check-plugin

Fri, Apr 26

sbassett updated subscribers of T216419: Security review - Wikibase Termbox Front End.
Fri, Apr 26, 10:14 PM · Security-Team-Review-Active
sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

Security Review Summary - T216419 - April 2019
Overall, this looks ok, and I'm basing a lot of that opinion on the RFC/new service tasks where this was heavily discussed (T213318, T212189). Given that the SSR isn't a public-facing service (and the client-side fallback is just transpiled JS), this review is a little different in that several standard web and mobile application attack surfaces are non-existent. As mentioned previously, this is using a large amount of external dependencies (412,875 lines!), and various mitigations and best practices should be explored via the recommendations at T216419#5141086 to address this issue. I would also like to spend a little more time examining potential issues around the HTML rendering, which I'm hopeful to get to next week. Though that shouldnt delay this review process any further. The Security-Team would also like to start framing these reviews within the context of risk and risk ownership - see our draft policy here - as opposed to a yes/no response. With the unmitigated issues mentioned on this task and within the report below, I would currently classify the risk of this application to be at least Medium/Moderate.

Fri, Apr 26, 10:13 PM · Security-Team-Review-Active
sbassett added a comment to T104164: Routinely audit projects that use package.json with nodesecurity.io.

I'd guess we could resolve this as 1) 4 years old, no action 2) nsp is basically now npm audit 3) there are several more current tasks (T203735, T179381, T174767, T96078) about security-scanning Node/TS applications.

Fri, Apr 26, 7:41 PM · Security-General, Security
sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

@WMDE-leszek - for automated checks of what I'd call low-hanging fruit (reported CVEs, etc.) I would advise that, at a minimum, we get some CI tooling in place for various WMDE Node repos, if that currently isn't the case (sounds like it isn't.) Within a few different contexts, such tasks have had various starts/stops in the recent past (T179381, T174767, T96078, T104164) but T200717#4474050 leads me to believe that this is ready to go via the npm6 dockers as there are also instructions provided on how to get this set up (guessing it's adding the right jobs here.) This should reduce the manual effort on any developer's part and I'd guess these could be made non-voting (maybe even just the npm audit piece) if that were an issue. AIUI, these can also be set up to run when patches get pushed to gerrit or on a daily schedule (if you don't mind the spam.)

Fri, Apr 26, 5:52 PM · Security-Team-Review-Active

Thu, Apr 25

sbassett triaged T221868: Send out wikitech-l post for T25227 ("Use token when logging out") as Low priority.
Thu, Apr 25, 3:50 PM · MediaWiki-Authentication-and-authorization, Security

Wed, Apr 24

sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

Update: I still plan to have a review completed by the end of this week (April 26th). After performing some basic analysis, I'm seeing several issues surrounding dependent packages. Many of these are dev dependencies, but there are some high prod vulnerabilities around older versions of js-yaml and some additional deprecation warnings (via both npm audit and npm outdated). I plan to attach these findings to my final report, but they can be easily enumerated by a developer right now via the relevant npm commands.

Wed, Apr 24, 10:04 PM · Security-Team-Review-Active
sbassett added a comment to T207246: Do a security audit of *.planet.wikimedia.org.

Some basic, quick checks:

  1. bulma.io CSS
    1. No CVEs, nothing in snyk.io or npm audit dbs, no reported/open security issues found on their github.
  2. rawdog
    1. No CVEs, nothing in snyk.io db, nothing in python safety db.
  3. rawdog dependencies
    1. python-tidylib - No CVEs, nothing in snyk.io db, nothing in python safety db.
    2. python-feedparser - Some CVEs in older versions, but nothing post 5.1.2.
Wed, Apr 24, 7:18 PM · Security-Team-Review-Active, Wikimedia-Planet
sbassett added a comment to T207246: Do a security audit of *.planet.wikimedia.org.

So for this review, it looks like we're talking about:

  1. rawdog (the aforementioned, disgustingly-named stretch package)
  2. rawdog's dependencies:
    1. python27
    2. python-feedparser >= 5.1.2
    3. python-tidylib
  3. Some CSS that looks the same across all language sub-sites:
    1. https://en.planet.wikimedia.org/main.css
    2. https://en.planet.wikimedia.org/bulma.min.css (https://bulma.io/)
  4. This JS in a <script> tag towards the bottom of the main page, which appears to add/remove CSS classes from various dom elements:
document.addEventListener('DOMContentLoaded', function() {
Wed, Apr 24, 6:58 PM · Security-Team-Review-Active, Wikimedia-Planet
sbassett moved T215048: Security review for the WikimediaEditorTasks extension from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:43 PM · Security-Team-Reviews, Wikipedia-Android-App-Backlog, WikimediaEditorTasks, Reading-Infrastructure-Team-Backlog
sbassett edited projects for T215048: Security review for the WikimediaEditorTasks extension, added: Security-Team-Reviews; removed Security-Team-Review-Active.
Wed, Apr 24, 6:42 PM · Security-Team-Reviews, Wikipedia-Android-App-Backlog, WikimediaEditorTasks, Reading-Infrastructure-Team-Backlog
sbassett moved T152: Install PHPExcel so I can export reports from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:42 PM · Security-Team-Reviews, Phabricator, Wikimedia Phabricator RfC
sbassett moved T65445: security review of Flow's templating from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Security-Team-Reviews, StructuredDiscussions
sbassett moved T31806: Install extension Pchart4mw on en.wikipedia.org from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Security-Team-Reviews, Wikimedia-Extension-setup
sbassett moved T613: Arcanist security review (before being used in WMF deployments) from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Differential, Security-Team-Reviews
sbassett moved T69533: security review of WikibaseQuery from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Security-Team-Reviews, Wikidata, MediaWiki-extensions-WikibaseQuery
sbassett moved T69536: security review of WikibaseQueryEngine from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Security-Team-Reviews, Wikidata, WikibaseQueryEngine
sbassett moved T71541: security review for Capiunto from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Wikidata, Security-Team-Reviews, MediaWiki-extensions-Capiunto
sbassett moved T71798: Security review of RecentActivityFeed from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Security-Team-Reviews, MediaWiki-extensions-RecentActivityFeed
sbassett moved T78221: Create "Security-Reviews" project from Frozen to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Security-Team-Reviews, Project-Admins
sbassett moved T78221: Create "Security-Reviews" project from Backlog to Frozen on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Security-Team-Reviews, Project-Admins
sbassett moved T78808: Security review for ApiFeatureUsage extension from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:41 PM · Patch-For-Review, ApiFeatureUsage, Wikimedia-Extension-setup, Security-Team-Reviews
sbassett moved T85861: Need security review for Lightncandy v0.18 (v0.15 already reviewed) from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:40 PM · Security-Team-Reviews
sbassett moved T86677: Quick/short security review of Extension:Sentry from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:40 PM · Security-Team-Reviews, Multimedia, Sentry, Patch-For-Review
sbassett moved T88171: Overall security review of Popups/Hovercards extension from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:40 PM · Patch-For-Review, Security-Team-Reviews, Page-Previews
sbassett moved T88261: Security review for Extension:Josa from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:40 PM · Wikimedia-extension-review-queue, MediaWiki-extensions-Josa, Security-Team-Reviews
sbassett moved T88993: Security review SMTP status code parsing in BounceHandler from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:40 PM · MediaWiki-Core-Team, Security-Team-Reviews, MediaWiki-extensions-BounceHandler
sbassett moved T85686: Content Translation Beta Feature security review from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:39 PM · Security-Team-Reviews, Patch-For-Review, MediaWiki-Core-Team, ContentTranslation-Release3, ContentTranslation, ContentTranslation-Deployments, LE-Sprint-81
sbassett moved T88748: Install SMW on AffCom wiki from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:39 PM · Wikimedia-Site-requests, Security-Team-Reviews, Wikimedia-Extension-setup
sbassett moved T90409: Security review for liuggio/statsd-php-client from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:39 PM · Patch-For-Review, Security-Team-Reviews, MediaWiki-Vendor
sbassett moved T90115: BlazeGraph Security Review from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:39 PM · Discovery, Wikidata, Security-Team, Security-Team-Reviews, Wikidata-Query-Service
sbassett moved T91778: Security review of Gather extension from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:39 PM · Gather Sprint Diplodocus, Security-Team-Reviews, Gather
sbassett moved T93126: Perform a security review of graphoid from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:38 PM · Graphoid, Patch-For-Review, Scrum-of-Scrums, Blocked-on-Security, Security-Team-Reviews, Services
sbassett moved T94186: Security review of Wikicaptcha from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:38 PM · Security-Team-Reviews, ConfirmEdit (CAPTCHA extension)
sbassett moved T75950: kafkatee security review from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:38 PM · Security-Team-Reviews, MediaWiki-Core-Team
sbassett moved T99086: Add composer/semver 0.1.0 to mediawiki/vendor from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:37 PM · Patch-For-Review, Security-Team, Composer, Security-Team-Reviews, MediaWiki-Vendor, MediaWiki-Configuration
sbassett moved T99352: Security review of Wikibase-Quality from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:37 PM · Security-Team, Wikidata, Security-Team-Reviews, Wikibase-Quality
sbassett moved T99355: Security review of Wikibase-Quality-Constraints - v1 branch from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:37 PM · Wikibase-Quality, Security-Team, Wikidata, Wikibase-Quality-Constraints, Security-Team-Reviews
sbassett moved T102649: Ex:WikibaseQuality - Needs to escape output by default from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:37 PM · Patch-For-Review, Wikibase-Quality, Security-Team-Reviews, Wikidata, Security-Team
sbassett moved T103185: Security review of kzykhys/pygments from Backlog to Archive on the Security-Team-Reviews board.
Wed, Apr 24, 6:36 PM · MediaWiki-Vendor, Patch-For-Review, Security-Team, SyntaxHighlight, Security-Team-Reviews