- User Since
- Nov 5 2021, 2:54 PM (81 w, 4 d)
- LDAP User
- MediaWiki User
- MMartorana (WMF) [ Global Accounts ]
Hi @EMagallanes - I have included you in the acl-security-legal group. Could you please verify if the permissions appear correct at this time? Thank you.
Wed, May 24
Hi @EMagallanes - To proceed, we kindly request your manager's approval.
Tue, May 16
Thu, May 11
Tue, May 9
Hey @eoghan - I have included you in the acl-security-sre group. Could you please verify if the permissions appear correct at this time? Thank you.
Wed, May 3
Apr 28 2023
Hi - we appreciate your inquire, but we regret to inform you that we currently do not provide support for this particular form of pre-release access and have no immediate plans to do so.
Apr 26 2023
Apr 24 2023
Hi - this task will be made public soon.
Apr 7 2023
As previously mentioned, the additional powers granted by int-admin privileges already pose a significant risk in terms of potential damage. Therefore, restricting the use of withJS would result in more limitations than benefit for this particular scenario.
As mentioned in the preceding comments, unfortunately, the Security-Team cannot dedicate their efforts to resolving this issue due to its high level of complexity and negligible potential impact.
Apr 4 2023
Supplemental announcement is out!
Apr 3 2023
Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.10/1.38.6/1.39.3)
Mar 31 2023
Mar 27 2023
Hi @NCommander - thanks for reporting this issue.
In case anyone is interested in writing a patch that can enhance the processing of PNG files with crop information and reject any data beyond the IEND binary marker, we would be open to that. Please note that it's not our system but Android devices that are susceptible to this issue.
Mar 24 2023
Mar 20 2023
Mar 13 2023
Hi @alex-mashin - I'm sorry, but I'm not able to reproduce the problem in version 1.35 either. Could you please give me more information to help me understand the issue better?
Mar 8 2023
Hi @alex-mashin - I cannot reproduce this issue in current master version as well.
Feb 16 2023
Feb 6 2023
Feb 3 2023
Jan 31 2023
Hi @pfischer - security access has been granted.
Jan 27 2023
Jan 25 2023
Hi @Stevemunene - Access has been granted.
Jan 24 2023
Hi @WMDE-leszek - A risk rating of medium requires mitigations to reduce to a lower risk level or risk acceptance/ownership at the manager/director level at the WMF.
Jan 20 2023
Security Review Summary - T316523 - 2023-01-20
Jan 17 2023
Hi SRE and @Stevemunene - Can we get your manager's approval, please?
Jan 12 2023
Supplemental announcement is out!
Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.9/1.38.4/1.39.1)
Jan 10 2023
Jan 5 2023
Hi @WMDE-leszek - I am going to post this security review within the next 3 weeks.
Dec 22 2022
Dec 19 2022
Since the risk for this issue is very low, we are not going to deploy it to WMF production at this moment.
Dec 9 2022
Dec 6 2022
Hi @Lectrician1 - I wanted to point out that the Security-Team is not disapproving the change; we have just rated it as medium risk.
Dec 5 2022
Hi - The Security-Team has reviewed this proposed feature, and our feedback is that even though we agree in using Gitlab as a central repository for userscripts and gadgets would be a good idea, we don't suggest to achieve this by removing the nosniff option, as we would be exposed to several kinds of attacks such as: MIME confusion attacks and unauthorized hotlinking. The risk of doing this would be medium.
Nov 28 2022
Nov 24 2022
Nov 21 2022
Nov 14 2022
Oct 18 2022
Hi @AnneT - Thanks for investigating these issues. The review came in as low risk, so I am just going to resolve this ticket for the moment.
Oct 13 2022
Hi @Dreamy_Jazz - We appreciate the mention, but unfortunately we do not plan to work on this issue anytime soon.
Oct 11 2022
Hi @AnneT - even though my review has an overall risk of low, do you have any plans for addressing those issues?
Oct 10 2022
Oct 6 2022
Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.8/1.37.5/1.38.3)
Oct 5 2022
Oct 4 2022
+ (T308861, CVE-2022-39191) - OAuth debug log includes consumer secrets
Sep 26 2022
Security Review Summary - T308495 - 2022-09-26
Sep 20 2022
Hi Anti-Harassment team, do you have any interest in working on the porting of this patch?
Sep 15 2022
Hi @Tgr - thank you for your patch.