Page MenuHomePhabricator

sbassett (Scott Bassett)
Staff Security Architect

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (198 w, 1 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.

Recent Activity

Yesterday

sbassett updated the task description for T311721: Onboard Cleo to Security Team.
Thu, Jun 30, 2:15 PM · Phabricator, Security-Team
sbassett added a member for Trusted-Contributors: Cleo_Lemoisson.
Thu, Jun 30, 2:14 PM
sbassett created T311721: Onboard Cleo to Security Team.
Thu, Jun 30, 1:56 PM · Phabricator, Security-Team

Wed, Jun 29

sbassett added a comment to T307962: Re-implement semgrep ci includes.

fake-gitlab-bot: - Initial commit for repo, mostly app structure - https://gitlab.wikimedia.org/repos/security/semgrep-merge-tool/-/merge_requests/1

Wed, Jun 29, 10:50 PM · SecTeam-Processed, user-sbassett, GitLab (CI & Job Runners), Security, Security Team AppSec, Security-Team
sbassett closed T311660: Security Issue Access Request for Demon as Resolved.

Just added them to acl*security_releng, which should give them implicit membership within acl*security. Which should be all they need.

Wed, Jun 29, 6:47 PM · SecTeam-Processed, Release-Engineering-Team (Radar), Security-Team, Security
sbassett added a member for acl*security_releng: demon.
Wed, Jun 29, 6:45 PM
sbassett removed a member for acl*security_releng: demon.
Wed, Jun 29, 6:45 PM
sbassett added a member for acl*security_releng: demon.
Wed, Jun 29, 6:43 PM
sbassett moved T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750) from Watching to Our Part Is Done on the Security-Team board.

I think we’re done here (but please reopen if the task should still be open for security release process purposes).

Wed, Jun 29, 4:34 PM · Special:NewLexeme revival (Special:NewLexeme revival - sprint 11), MW-1.39-notes (1.39.0-wmf.18; 2022-06-27), Patch-For-Review, Vuln-DoS, Wikidata Lexicographical data, Wikidata, Security, Security-Team
sbassett added a project to T311360: RecentChanges timing out: Vuln-DoS.
Wed, Jun 29, 3:39 PM · Upstream, mariadb-optimizer-bug, Slow-DB-Query, Performance-Team, DBA, Platform Engineering, Vuln-DoS, Wikimedia-production-error, Growth-Team, MediaWiki-Recent-changes
sbassett added a comment to T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750).

This appeared in the CVE feed as https://www.cve.org/CVERecord?id=CVE-2022-34750

Wed, Jun 29, 1:50 PM · Special:NewLexeme revival (Special:NewLexeme revival - sprint 11), MW-1.39-notes (1.39.0-wmf.18; 2022-06-27), Patch-For-Review, Vuln-DoS, Wikidata Lexicographical data, Wikidata, Security, Security-Team

Tue, Jun 28

sbassett reopened T304885: Application Security Review Request : Image Suggestions Service as "In Progress".
Tue, Jun 28, 4:20 PM · Generated Data Platform, secscrum, Security, Application Security Reviews
sbassett moved T304885: Application Security Review Request : Image Suggestions Service from In Progress to Our Part Is Done on the secscrum board.
Tue, Jun 28, 4:19 PM · Generated Data Platform, secscrum, Security, Application Security Reviews

Mon, Jun 27

sbassett moved T302472: Application Security Review Request : Abstract Wikipedia function-schemata from In Progress to Waiting on the secscrum board.
Mon, Jun 27, 8:49 PM · user-sbassett, secscrum, Security, Application Security Reviews
sbassett added a comment to T302472: Application Security Review Request : Abstract Wikipedia function-schemata.

Security Review Summary - T302472 - 2022-06-27
Last commit reviewed: 7cf228480a

Mon, Jun 27, 8:42 PM · user-sbassett, secscrum, Security, Application Security Reviews
sbassett triaged T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750) as Low priority.
Mon, Jun 27, 6:46 PM · Special:NewLexeme revival (Special:NewLexeme revival - sprint 11), MW-1.39-notes (1.39.0-wmf.18; 2022-06-27), Patch-For-Review, Vuln-DoS, Wikidata Lexicographical data, Wikidata, Security, Security-Team
sbassett added a comment to T294362: Image Suggestions POC Deprecation & Plan for Production.

@sbassett we are aligned on not wanting this to drag on. That said, I think deploying the config patch to switch to the API would be better to do on Monday, so we have more time to deal with any issues that come up. So I'll plan on that, if that sounds OK to you.

Mon, Jun 27, 5:22 PM · Structured-Data-Backlog, Image-Suggestions

Fri, Jun 24

sbassett added a comment to T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750).

Hey @Lucas_Werkmeister_WMDE - The security team is attempting to get the next supplemental security release (T305209) out within the next week or two, and we were hoping to include this bug. I know there was some discussion above about polishing the two existing security patches a bit more. Would you still prefer to do that or should we try to push what exists now up to gerrit, get them merged so we can remove the patches from production and have something available for the supplemental release? I'd perfer that approach but I'm also fine with waiting and keeping this bug locked down for a while longer, perhaps until next quarter's supplemental security release, but likely not after that.

Fri, Jun 24, 6:52 PM · Special:NewLexeme revival (Special:NewLexeme revival - sprint 11), MW-1.39-notes (1.39.0-wmf.18; 2022-06-27), Patch-For-Review, Vuln-DoS, Wikidata Lexicographical data, Wikidata, Security, Security-Team
sbassett added a project to T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750): Vuln-DoS.
Fri, Jun 24, 6:33 PM · Special:NewLexeme revival (Special:NewLexeme revival - sprint 11), MW-1.39-notes (1.39.0-wmf.18; 2022-06-27), Patch-For-Review, Vuln-DoS, Wikidata Lexicographical data, Wikidata, Security, Security-Team
sbassett added a comment to T294362: Image Suggestions POC Deprecation & Plan for Production.

@kostajh - Sounds good, thanks for the update. A few extra days beyond the deadline is fine. We just don't want that turning into weeks or months, so if the work appears to be heading in that direction due to unknowns, etc, please let us know so that we can recalibrate on the grant. Also - the AppSec team is still planning to complete T304885 by the end of this current quarter, or thereabouts.

Fri, Jun 24, 4:01 PM · Structured-Data-Backlog, Image-Suggestions

Wed, Jun 22

sbassett set Author Affiliation to community on T290313: Batch purge pages with a high limit like >= 11, can be slow and might timeout (The number of batch purge pages should be reduced to 10).
Wed, Jun 22, 3:09 PM · SecTeam-Processed, Vuln-DoS, Security-Team, Security, MediaWiki-Action-API, User-IN
sbassett removed a project from T310887: Add support for specifying the PHP version used?: Security-Team.
Wed, Jun 22, 2:35 PM · Docker-Hub-MediaWiki, SecTeam-Processed, Security
sbassett added a comment to T310887: Add support for specifying the PHP version used?.

Ok, I've made this task public since there isn't really a security issue here. We can leave it open for a while to see if anybody would like to implement the version selection functionality.

Wed, Jun 22, 2:35 PM · Docker-Hub-MediaWiki, SecTeam-Processed, Security
sbassett changed the visibility for T310887: Add support for specifying the PHP version used?.
Wed, Jun 22, 2:34 PM · Docker-Hub-MediaWiki, SecTeam-Processed, Security
sbassett moved T310312: Offboard John Bennett from Security Team from In Progress to Done on the user-sbassett board.
Wed, Jun 22, 2:30 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett closed T310312: Offboard John Bennett from Security Team as Resolved.
Wed, Jun 22, 2:30 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett changed the visibility for T308473: Username not escaped in the contributions-title message.
Wed, Jun 22, 2:36 AM · MW-1.38-notes, MW-1.37-notes, user-sbassett, SecTeam-Processed, MediaWiki-Logevents, Vuln-XSS, Security, Security-Team
sbassett moved T308473: Username not escaped in the contributions-title message from In Progress to Done on the user-sbassett board.
Wed, Jun 22, 2:36 AM · MW-1.38-notes, MW-1.37-notes, user-sbassett, SecTeam-Processed, MediaWiki-Logevents, Vuln-XSS, Security, Security-Team
sbassett moved T308473: Username not escaped in the contributions-title message from In Progress to Our Part Is Done on the Security-Team board.
Wed, Jun 22, 2:36 AM · MW-1.38-notes, MW-1.37-notes, user-sbassett, SecTeam-Processed, MediaWiki-Logevents, Vuln-XSS, Security, Security-Team
sbassett closed T308473: Username not escaped in the contributions-title message, a subtask of T2212: Some MediaWiki: messages not safe in HTML (tracking), as Resolved.
Wed, Jun 22, 2:35 AM · Tracking-Neverending, I18n, MediaWiki-Internationalization
sbassett closed T308473: Username not escaped in the contributions-title message as Resolved.
Wed, Jun 22, 2:35 AM · MW-1.38-notes, MW-1.37-notes, user-sbassett, SecTeam-Processed, MediaWiki-Logevents, Vuln-XSS, Security, Security-Team
sbassett closed T310314: Offboard David Sharpe from Security Team as Resolved.
Wed, Jun 22, 1:53 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett moved T310314: Offboard David Sharpe from Security Team from In Progress to Done on the user-sbassett board.
Wed, Jun 22, 1:53 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett closed T310314: Offboard David Sharpe from Security Team, a subtask of T310463: Check home/HDFS leftovers of dsharpe, as Resolved.
Wed, Jun 22, 1:53 AM · Data-Engineering
sbassett updated the task description for T310314: Offboard David Sharpe from Security Team.
Wed, Jun 22, 1:52 AM · SecTeam-Processed, user-sbassett, Security-Team

Tue, Jun 21

sbassett updated subscribers of T308473: Username not escaped in the contributions-title message.
Tue, Jun 21, 9:32 PM · MW-1.38-notes, MW-1.37-notes, user-sbassett, SecTeam-Processed, MediaWiki-Logevents, Vuln-XSS, Security, Security-Team
sbassett closed T301389: Application Security Review Request : Wikistories as Resolved.
Tue, Jun 21, 9:26 PM · MW-1.39-notes (1.39.0-wmf.12; 2022-05-16), user-sbassett, Wikistories (MVP), Inuka-Team, secscrum, Security, Application Security Reviews
sbassett moved T301389: Application Security Review Request : Wikistories from Waiting to Done on the user-sbassett board.
Tue, Jun 21, 9:26 PM · MW-1.39-notes (1.39.0-wmf.12; 2022-05-16), user-sbassett, Wikistories (MVP), Inuka-Team, secscrum, Security, Application Security Reviews
sbassett added a comment to T301389: Application Security Review Request : Wikistories.

About the various vulnerable or outdated packages, it looks like there's no need to do anything about it now. Let me know if I missed anything.

Tue, Jun 21, 9:25 PM · MW-1.39-notes (1.39.0-wmf.12; 2022-05-16), user-sbassett, Wikistories (MVP), Inuka-Team, secscrum, Security, Application Security Reviews
sbassett added a comment to T310887: Add support for specifying the PHP version used?.

Could you be a bit more specific on which Docker image exactly you're using (by providing a link)? Unfortunately there are at least 2 or 3 different projects that at one point or another could be considered "MediaWiki's official Docker image"

Tue, Jun 21, 6:15 PM · Docker-Hub-MediaWiki, SecTeam-Processed, Security
sbassett added a member for Project-Admins: sbassett.
Tue, Jun 21, 4:34 PM
sbassett changed the visibility for T310098: acl*wmcs-team, acl*blog-admins joinable by anyone.
Tue, Jun 21, 4:31 PM · User-MarcoAurelio, Phabricator, Security, Security-Team
sbassett triaged T310887: Add support for specifying the PHP version used? as Low priority.
Tue, Jun 21, 4:20 PM · Docker-Hub-MediaWiki, SecTeam-Processed, Security
sbassett moved T310887: Add support for specifying the PHP version used? from Incoming to Watching on the Security-Team board.
Tue, Jun 21, 4:19 PM · Docker-Hub-MediaWiki, SecTeam-Processed, Security
sbassett claimed T298784: Security Issue Access Request for Zabe.
Tue, Jun 21, 4:13 PM · user-sbassett, Security-Team, SecTeam-Processed, Security
sbassett moved T298784: Security Issue Access Request for Zabe from Backlog to In Progress on the user-sbassett board.
Tue, Jun 21, 4:13 PM · user-sbassett, Security-Team, SecTeam-Processed, Security
sbassett set Author Affiliation to tech on T310304: MediaWiki-Docker exposes wiki admin password to web.
Tue, Jun 21, 4:08 PM · SecTeam-Processed, MediaWiki-Docker, Security, Security-Team
sbassett closed T310304: MediaWiki-Docker exposes wiki admin password to web as Declined.
Tue, Jun 21, 4:08 PM · SecTeam-Processed, MediaWiki-Docker, Security, Security-Team
sbassett moved T308471: Username is not escaped in the "welcomeuser" message from In Progress to Done on the user-sbassett board.
Tue, Jun 21, 3:19 PM · MW-1.35-notes, MW-1.38-notes, MW-1.37-notes, MW-1.39-notes (1.39.0-wmf.16; 2022-06-13), user-sbassett, SecTeam-Processed, MediaWiki-User-login-and-signup, Vuln-XSS, Security, Security-Team
sbassett closed T308471: Username is not escaped in the "welcomeuser" message as Resolved.
Tue, Jun 21, 3:18 PM · MW-1.35-notes, MW-1.38-notes, MW-1.37-notes, MW-1.39-notes (1.39.0-wmf.16; 2022-06-13), user-sbassett, SecTeam-Processed, MediaWiki-User-login-and-signup, Vuln-XSS, Security, Security-Team
sbassett closed T308471: Username is not escaped in the "welcomeuser" message, a subtask of T2212: Some MediaWiki: messages not safe in HTML (tracking), as Resolved.
Tue, Jun 21, 3:18 PM · Tracking-Neverending, I18n, MediaWiki-Internationalization
sbassett added a comment to T308471: Username is not escaped in the "welcomeuser" message.

This picked cleanly to all supported releases. If those test fine, I'll plan to merge them and this task can be resolved.

Tue, Jun 21, 2:48 PM · MW-1.35-notes, MW-1.38-notes, MW-1.37-notes, MW-1.39-notes (1.39.0-wmf.16; 2022-06-13), user-sbassett, SecTeam-Processed, MediaWiki-User-login-and-signup, Vuln-XSS, Security, Security-Team
sbassett moved T290917: New Service Request Security API Gateway from In Progress to Waiting on the user-sbassett board.
Tue, Jun 21, 2:34 PM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett claimed T310314: Offboard David Sharpe from Security Team.
Tue, Jun 21, 2:32 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310314: Offboard David Sharpe from Security Team.
Tue, Jun 21, 2:31 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Tue, Jun 21, 2:31 PM · SecTeam-Processed, user-sbassett, Security-Team

Thu, Jun 16

sbassett added a comment to T301389: Application Security Review Request : Wikistories.

Security Review Summary - T301389 - 2022-06-16
Last commit reviewed: 96c13a2676

Thu, Jun 16, 11:11 PM · MW-1.39-notes (1.39.0-wmf.12; 2022-05-16), user-sbassett, Wikistories (MVP), Inuka-Team, secscrum, Security, Application Security Reviews
sbassett added a comment to T310564: Have the Security API Service's docker-compose use a custom network.

I ended up merging the changes to security-api's docker-compose.yml as a convenience. This way a default, named network is established for easier integration with mediawiki-docker or other containerized environments in the future.

Thu, Jun 16, 8:16 PM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett moved T310564: Have the Security API Service's docker-compose use a custom network from In Progress to Done on the user-sbassett board.
Thu, Jun 16, 8:14 PM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett closed T310564: Have the Security API Service's docker-compose use a custom network as Resolved.
Thu, Jun 16, 8:14 PM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett closed T310564: Have the Security API Service's docker-compose use a custom network, a subtask of T290917: New Service Request Security API Gateway, as Resolved.
Thu, Jun 16, 8:14 PM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett claimed T310564: Have the Security API Service's docker-compose use a custom network.
Thu, Jun 16, 8:14 PM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett added a comment to T310535: GitLab runners: allowed_images patterns need to be loosened to include subdirectories.

@sbassett: With that patch merged, this should take effect once runners are re-registered. I can probably get to that after train.

Thu, Jun 16, 6:19 PM · User-brennen, Release-Engineering-Team, GitLab (CI & Job Runners)
sbassett closed T290313: Batch purge pages with a high limit like >= 11, can be slow and might timeout (The number of batch purge pages should be reduced to 10) as Declined.

Testing the link within the description (unauth'd) I'm not even able to generate a timeout error. I'm seeing some higher run times, in the 30 to 40 second range, but at worst, this seems like it may occasionally trigger some low-risk resource exhaustion. I concur that this should be declined for now, unless it can be demonstrated that the action api url in question consistently causes significant resource exhaustion to the point of being a much more significant and viable DoS vector.

Thu, Jun 16, 4:49 PM · SecTeam-Processed, Vuln-DoS, Security-Team, Security, MediaWiki-Action-API, User-IN
sbassett added a comment to T310718: Gitlab pipeline not working with "docker-registry.wikimedia.org/releng/" images .
Thu, Jun 16, 4:01 PM · GitLab, Release-Engineering-Team, Gitlab-Application-Security-Pipeline
sbassett merged T310718: Gitlab pipeline not working with "docker-registry.wikimedia.org/releng/" images into T310535: GitLab runners: allowed_images patterns need to be loosened to include subdirectories.
Thu, Jun 16, 4:00 PM · User-brennen, Release-Engineering-Team, GitLab (CI & Job Runners)
sbassett merged task T310718: Gitlab pipeline not working with "docker-registry.wikimedia.org/releng/" images into T310535: GitLab runners: allowed_images patterns need to be loosened to include subdirectories.
Thu, Jun 16, 4:00 PM · GitLab, Release-Engineering-Team, Gitlab-Application-Security-Pipeline
sbassett updated subscribers of T298784: Security Issue Access Request for Zabe.

So we have a new, interim director of security at this time: @Jcross. I plan to bring this issue to them soon for reconsideration. And hopefully have an answer before T305731 is fully-resolved.

Thu, Jun 16, 3:51 PM · user-sbassett, Security-Team, SecTeam-Processed, Security
sbassett added a comment to T310718: Gitlab pipeline not working with "docker-registry.wikimedia.org/releng/" images .

Hey Release-Engineering-Team - guessing the releng path might need to be explicitly allow-listed as well? So: docker-registry.wikimedia.org/releng/*? And maybe docker-registry.wikimedia.org/dev/* as well? Assuming those are images we wish to allow within Gitlab CI.

Thu, Jun 16, 3:49 PM · GitLab, Release-Engineering-Team, Gitlab-Application-Security-Pipeline
sbassett awarded T310748: Deactivate fundraising accounts for dvargas@bishopfox.com a Like token.
Thu, Jun 16, 3:11 PM · SecTeam-Processed, Security-Team, fundraising-tech-ops
sbassett moved T310748: Deactivate fundraising accounts for dvargas@bishopfox.com from Incoming to Our Part Is Done on the Security-Team board.
Thu, Jun 16, 3:11 PM · SecTeam-Processed, Security-Team, fundraising-tech-ops
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Thu, Jun 16, 3:06 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Thu, Jun 16, 3:05 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310314: Offboard David Sharpe from Security Team.
Thu, Jun 16, 3:04 PM · SecTeam-Processed, user-sbassett, Security-Team

Wed, Jun 15

sbassett added a project to T310718: Gitlab pipeline not working with "docker-registry.wikimedia.org/releng/" images : GitLab.
Wed, Jun 15, 4:00 PM · GitLab, Release-Engineering-Team, Gitlab-Application-Security-Pipeline
sbassett edited projects for T310718: Gitlab pipeline not working with "docker-registry.wikimedia.org/releng/" images , added: Release-Engineering-Team; removed Release-Engineering-Team (GitLab-a-thon 🦊).
Wed, Jun 15, 4:00 PM · GitLab, Release-Engineering-Team, Gitlab-Application-Security-Pipeline

Tue, Jun 14

sbassett updated the task description for T310314: Offboard David Sharpe from Security Team.
Tue, Jun 14, 8:11 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Tue, Jun 14, 8:04 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett awarded T310563: Create project tag for Gitlab Application Security Pipeline a Like token.
Tue, Jun 14, 3:00 PM · Project-Admins
sbassett triaged T310564: Have the Security API Service's docker-compose use a custom network as Medium priority.
Tue, Jun 14, 2:55 AM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett moved T310564: Have the Security API Service's docker-compose use a custom network from Backlog to In Progress on the user-sbassett board.
Tue, Jun 14, 2:55 AM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett moved T310564: Have the Security API Service's docker-compose use a custom network from Incoming to In Progress on the Security-Team board.
Tue, Jun 14, 2:55 AM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett changed the status of T310564: Have the Security API Service's docker-compose use a custom network, a subtask of T290917: New Service Request Security API Gateway, from Open to In Progress.
Tue, Jun 14, 2:54 AM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett changed the status of T310564: Have the Security API Service's docker-compose use a custom network from Open to In Progress.
Tue, Jun 14, 2:54 AM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett created T310564: Have the Security API Service's docker-compose use a custom network.
Tue, Jun 14, 2:54 AM · Security-API-Service, user-sbassett, Security, Security-Team
sbassett created T310563: Create project tag for Gitlab Application Security Pipeline.
Tue, Jun 14, 2:37 AM · Project-Admins
sbassett triaged T305728: Create project tag for Security API Service as Lowest priority.
Tue, Jun 14, 2:33 AM · Project-Admins
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Tue, Jun 14, 2:29 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett removed a project from T310312: Offboard John Bennett from Security Team: Patch-For-Review.
Tue, Jun 14, 2:28 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett removed a project from T310314: Offboard David Sharpe from Security Team: Patch-For-Review.
Tue, Jun 14, 2:17 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310314: Offboard David Sharpe from Security Team.
Tue, Jun 14, 2:16 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310314: Offboard David Sharpe from Security Team.
Tue, Jun 14, 2:00 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Tue, Jun 14, 1:55 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Tue, Jun 14, 1:49 AM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Tue, Jun 14, 1:46 AM · SecTeam-Processed, user-sbassett, Security-Team

Mon, Jun 13

sbassett reopened T298784: Security Issue Access Request for Zabe as "Open".

@sbassett I see that @Dsharpe has been offboarded. Is there someone else I can ask now?

Mon, Jun 13, 9:36 PM · user-sbassett, Security-Team, SecTeam-Processed, Security
sbassett added a comment to T308471: Username is not escaped in the "welcomeuser" message.

But OutputPage::setPageTitle() calls Sanitizer::removeSomeTags, is that not enough?

Mon, Jun 13, 9:06 PM · MW-1.35-notes, MW-1.38-notes, MW-1.37-notes, MW-1.39-notes (1.39.0-wmf.16; 2022-06-13), user-sbassett, SecTeam-Processed, MediaWiki-User-login-and-signup, Vuln-XSS, Security, Security-Team
sbassett updated the task description for T310312: Offboard John Bennett from Security Team.
Mon, Jun 13, 8:31 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310314: Offboard David Sharpe from Security Team.
Mon, Jun 13, 8:31 PM · SecTeam-Processed, user-sbassett, Security-Team
sbassett updated the task description for T310314: Offboard David Sharpe from Security Team.
Mon, Jun 13, 8:31 PM · SecTeam-Processed, user-sbassett, Security-Team