Page MenuHomePhabricator

sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (81 w, 2 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.

Recent Activity

Mon, Mar 30

sbassett triaged T248483: Security Readiness Review For MediaModeration as Medium priority.
Mon, Mar 30, 3:13 PM · secscrum, Security, Security Readiness Reviews

Thu, Mar 26

sbassett moved T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1) from Waiting to Done on the user-sbassett board.
Thu, Mar 26, 8:43 PM · Security, MediaWiki-Releasing, user-sbassett
sbassett closed T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1), a subtask of T240392: Release MediaWiki 1.31.7/1.33.3/1.34.1, as Resolved.
Thu, Mar 26, 8:43 PM · Security, MediaWiki-Releasing
sbassett closed T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1) as Resolved.

Done and done.

Thu, Mar 26, 8:43 PM · Security, MediaWiki-Releasing, user-sbassett
sbassett added a comment to T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).

Subject: MediaWiki Extensions and Skins Security Release Supplement

Thu, Mar 26, 8:27 PM · Security, MediaWiki-Releasing, user-sbassett
sbassett updated the task description for T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).
Thu, Mar 26, 8:21 PM · Security, MediaWiki-Releasing, user-sbassett
sbassett closed T236509: XSS on Special:UserRights as Resolved.

Thanks @Reedy @Bawolff and @matmarex for taking care of 1.31 and 1.33!

Thu, Mar 26, 7:20 PM · MW-1.33-notes, MW-1.31-release-notes, MW-1.34-notes, Security, user-sbassett, Security-Team, Vuln-XSS, MediaWiki-Special-pages
sbassett added a comment to T232932: User content can redirect the logout button to different URL (CVE-2020-10959).

There's a Herald rule that doesn't let users mistakenly "open" a ticket to public when it has PermanentlyPrivate tag on it. I think here it was used as more of a tool. Fixing it should not be that hard, create a tag like "StayPrivate" and use that instead (with the proper herald rules added)

Thu, Mar 26, 7:10 PM · MW-1.34-notes, MW-1.35-notes (1.35.0-wmf.26; 2020-03-31), Security-Team, Security, MediaWiki-Interface
sbassett reopened T236509: XSS on Special:UserRights as "Open".

Actually, re-opening to attempt some backports to release branches. And obviously this won't be held for a security release since the patch went through gerrit.

Thu, Mar 26, 3:59 AM · MW-1.33-notes, MW-1.31-release-notes, MW-1.34-notes, Security, user-sbassett, Security-Team, Vuln-XSS, MediaWiki-Special-pages
sbassett moved T236509: XSS on Special:UserRights from Backlog to Done on the user-sbassett board.
Thu, Mar 26, 3:57 AM · MW-1.33-notes, MW-1.31-release-notes, MW-1.34-notes, Security, user-sbassett, Security-Team, Vuln-XSS, MediaWiki-Special-pages
sbassett moved T236509: XSS on Special:UserRights from In Progress to Our Part Is Done on the Security-Team board.
Thu, Mar 26, 3:57 AM · MW-1.33-notes, MW-1.31-release-notes, MW-1.34-notes, Security, user-sbassett, Security-Team, Vuln-XSS, MediaWiki-Special-pages
sbassett changed the visibility for T236509: XSS on Special:UserRights.
Thu, Mar 26, 3:56 AM · MW-1.33-notes, MW-1.31-release-notes, MW-1.34-notes, Security, user-sbassett, Security-Team, Vuln-XSS, MediaWiki-Special-pages
sbassett closed T236509: XSS on Special:UserRights as Resolved.

Looks like I re-discovered and fixed this issue with change https://gerrit.wikimedia.org/r/c/mediawiki/core/+/582909. I was not aware it was filed as a security bug.

Thu, Mar 26, 3:56 AM · MW-1.33-notes, MW-1.31-release-notes, MW-1.34-notes, Security, user-sbassett, Security-Team, Vuln-XSS, MediaWiki-Special-pages
sbassett added a comment to T248360: Phan warning in "includes/specials/SpecialMobileDiff.php" - working around by disabling.

@matmarex @sbassett looks like we can revert this change now?

Thu, Mar 26, 3:53 AM · MW-1.35-notes (1.35.0-wmf.26; 2020-03-31), Patch-For-Review, Readers-Web-Backlog (Kanbanana-2019-20-Q3), Security-Team, Security, phan-taint-check-plugin
sbassett closed T240399: Obtain CVEs for 1.31.7/1.33.3/1.34.1 security releases, a subtask of T240392: Release MediaWiki 1.31.7/1.33.3/1.34.1, as Resolved.
Thu, Mar 26, 3:42 AM · Security, MediaWiki-Releasing
sbassett closed T240399: Obtain CVEs for 1.31.7/1.33.3/1.34.1 security releases as Resolved.

Done and updated on T240393:
T232932: CVE-2020-10959
T246602: CVE-2020-10960

Thu, Mar 26, 3:42 AM · Security, MediaWiki-Releasing
sbassett renamed T246602: makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960) from makeCollapsible allows applying event handler to any CSS selector to makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960).
Thu, Mar 26, 3:40 AM · MW-1.35-notes (1.35.0-wmf.26; 2020-03-31), MW-1.33-notes, MW-1.34-notes, MW-1.31-release-notes, MediaWiki-General, Security, Security-Team
sbassett renamed T232932: User content can redirect the logout button to different URL (CVE-2020-10959) from User content can redirect the logout button to different URL to User content can redirect the logout button to different URL (CVE-2020-10959).
Thu, Mar 26, 3:40 AM · MW-1.34-notes, MW-1.35-notes (1.35.0-wmf.26; 2020-03-31), Security-Team, Security, MediaWiki-Interface
sbassett updated the task description for T240393: Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1.
Thu, Mar 26, 3:39 AM · Security, MediaWiki-Releasing

Wed, Mar 25

sbassett added a comment to T240395: Write and send release announcements for MediaWiki 1.31.7/1.33.3/1.34.1.

Not sure what we want to do about T234104, re: mentioning it as part of the release announcement.

Wed, Mar 25, 3:08 AM · Security, MediaWiki-Releasing
sbassett added a comment to T234104: PageTriage: Api allows spamming users with notifications.

Should this be made public?

Wed, Mar 25, 3:05 AM · Security-Team, Growth-Team, PageCuration, User-DannyS712
sbassett changed the visibility for T234104: PageTriage: Api allows spamming users with notifications.
Wed, Mar 25, 3:04 AM · Security-Team, Growth-Team, PageCuration, User-DannyS712
sbassett added a comment to T240393: Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1.

CVEs requested. Will update table in task description and task titles when I have them.

Wed, Mar 25, 2:55 AM · Security, MediaWiki-Releasing
sbassett added a comment to T248360: Phan warning in "includes/specials/SpecialMobileDiff.php" - working around by disabling.

Can you add me to that ticket @sbassett ? Thanks in advance!

Wed, Mar 25, 1:52 AM · MW-1.35-notes (1.35.0-wmf.26; 2020-03-31), Patch-For-Review, Readers-Web-Backlog (Kanbanana-2019-20-Q3), Security-Team, Security, phan-taint-check-plugin

Tue, Mar 24

sbassett closed T247634: [ignore] test report case as Resolved.
Tue, Mar 24, 3:47 PM · secscrum
sbassett moved T247634: [ignore] test report case from In Progress to Our Part Is Done on the secscrum board.
Tue, Mar 24, 3:46 PM · secscrum
sbassett moved T247326: combine security readiness review and security preview boards with third tag from Watching to Our Part Is Done on the secscrum board.
Tue, Mar 24, 3:45 PM · Project-Admins, secscrum, Security-Team, Security, Security Preview, Security Readiness Reviews
sbassett moved T247351: testing herald secreviews from Incoming to Our Part Is Done on the secscrum board.
Tue, Mar 24, 3:45 PM · secscrum, Security Preview
sbassett triaged T248360: Phan warning in "includes/specials/SpecialMobileDiff.php" - working around by disabling as Medium priority.
Tue, Mar 24, 3:27 PM · MW-1.35-notes (1.35.0-wmf.26; 2020-03-31), Patch-For-Review, Readers-Web-Backlog (Kanbanana-2019-20-Q3), Security-Team, Security, phan-taint-check-plugin
sbassett moved T248360: Phan warning in "includes/specials/SpecialMobileDiff.php" - working around by disabling from Incoming to Watching on the Security-Team board.
Tue, Mar 24, 3:27 PM · MW-1.35-notes (1.35.0-wmf.26; 2020-03-31), Patch-For-Review, Readers-Web-Backlog (Kanbanana-2019-20-Q3), Security-Team, Security, phan-taint-check-plugin
sbassett moved T244931: Hash edit session ID in EditAttemptStep and VisualEditorFeatureUse whitelisting from Incoming to Watching on the Security-Team board.
Tue, Mar 24, 3:14 PM · Product-Analytics (Kanban), Growth-Team, Analytics
sbassett added a comment to T244076: Security Readiness Review For ChessBrowser extension.

@DannyS712 - per our SOP under Submission and Timelines, we'll still need some additional information before we can re-triage and schedule this review, namely the target date for deployment (Community-Tech as the deployment sponsors will need to confirm this) and a branch and commit sha signifying the development stopping point for the review, as we cannot review a moving target. If that's just 3515ac6, that's fine - please feel free to add it to the task description.

Tue, Mar 24, 2:48 AM · secscrum, ChessBrowser, Security Readiness Reviews
sbassett added a comment to T248360: Phan warning in "includes/specials/SpecialMobileDiff.php" - working around by disabling.

See also related security task: T236509.

Tue, Mar 24, 2:34 AM · MW-1.35-notes (1.35.0-wmf.26; 2020-03-31), Patch-For-Review, Readers-Web-Backlog (Kanbanana-2019-20-Q3), Security-Team, Security, phan-taint-check-plugin
sbassett updated the task description for T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).
Tue, Mar 24, 2:07 AM · Security, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend

Thu, Mar 19

sbassett added a comment to T246353: Investigate and mitigate trivial bypass to AntiSpoof.

I'd hoped to polish up the patch a bit more around some of the suggestions, but well, yeah. Strange times. Hopefully I can find some time soon to work through a few modifications and improvements.

Thu, Mar 19, 2:56 PM · Patch-For-Review, Anti-Harassment, Security-Team, Security, AbuseFilter, AntiSpoof

Tue, Mar 17

sbassett added a comment to T247645: CU 2.0: Enable Special:Investigate on testwiki [small].

Note: I was granted functionary rights by Trust-and-Safety on testwiki and test2wiki due to my role on the Security-Team and my involvement with CU development and testing. This was not done via the staff group as I believe that grants functionary rights across all of the projects, which I do not require. It also might be noteworthy that I have both deployment and analytics-privatedata rights and so technically have unlimited, unmonitored access to all of the same underlying data that CU would be able to access.

Tue, Mar 17, 1:54 AM · MW-1.35-notes (1.35.0-wmf.25; 2020-03-24), Anti-Harassment (The Letter Song), User-DannyS712, Wikimedia-Site-requests, CheckUser

Fri, Mar 13

sbassett reopened T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534) as "Open".

Not all the backports are merged yet - should this still be open?

Fri, Mar 13, 8:41 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking
sbassett reopened T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534), a subtask of T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1), as Open.
Fri, Mar 13, 8:41 PM · Security, MediaWiki-Releasing, user-sbassett
sbassett raised the priority of T211489: Security review of bjeavons/zxcvbn-php from Medium to Needs Triage.
Fri, Mar 13, 8:01 PM · secscrum, Security Readiness Reviews, MediaWiki-Vendor, MediaWiki-User-login-and-signup
sbassett moved T211489: Security review of bjeavons/zxcvbn-php from Our Part Is Done to Incoming on the secscrum board.
Fri, Mar 13, 8:01 PM · secscrum, Security Readiness Reviews, MediaWiki-Vendor, MediaWiki-User-login-and-signup
sbassett updated the task description for T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).
Fri, Mar 13, 7:55 PM · Security, MediaWiki-Releasing, user-sbassett
sbassett moved T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534) from Waiting to Done on the user-sbassett board.
Fri, Mar 13, 7:52 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking
sbassett closed T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534) as Resolved.
Fri, Mar 13, 7:52 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking
sbassett closed T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534), a subtask of T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1), as Resolved.
Fri, Mar 13, 7:52 PM · Security, MediaWiki-Releasing, user-sbassett
sbassett updated subscribers of T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).

CVE here. Thanks, @Reedy, @DannyS712, @Jdforrester-WMF for getting the backports done!

Fri, Mar 13, 7:51 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking
sbassett renamed T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534) from Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one to Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).
Fri, Mar 13, 7:50 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking

Thu, Mar 12

sbassett added a comment to T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).

I've submitted the CVE request for this issue - I'll update this task and T240400 once I have it. Gerrit couldn't seem to handle simple picks for the backports to 1.31, 1.33 and 1.34, so those will likely involve a bit more work, if they're even feasible.

Thu, Mar 12, 8:49 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking
sbassett moved T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning from In Progress to Done on the user-sbassett board.
Thu, Mar 12, 8:35 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett moved T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning from Wikimedia deployed to Done on the phan-taint-check-plugin board.
Thu, Mar 12, 8:35 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett closed T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning as Resolved.

Calling this done for now per alternative, merged patch: https://gerrit.wikimedia.org/r/579003

Thu, Mar 12, 8:35 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Thu, Mar 12, 7:39 PM · user-sbassett, Security-Team
sbassett removed a project from T247468: Delete gerrit repository wikimedia/security/automated-scanning: Patch-For-Review.
Thu, Mar 12, 7:37 PM · Projects-Cleanup, Release-Engineering-Team
sbassett added a comment to T247468: Delete gerrit repository wikimedia/security/automated-scanning.
  • emptying the repo and just leaving README file that would point to this task
  • mark the repository inactive in Gerrit to prevent further changes.
  • delete the github mirror
Thu, Mar 12, 7:37 PM · Projects-Cleanup, Release-Engineering-Team
sbassett added a comment to T247531: SpecialMWOAuthManageMyGrants: Call to a member function getConsumerKey() on boolean.

...but I have no idea how to turn the task into a normal bug report.

Thu, Mar 12, 6:53 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), MediaWiki-extensions-OAuth
sbassett triaged T247531: SpecialMWOAuthManageMyGrants: Call to a member function getConsumerKey() on boolean as High priority.
Thu, Mar 12, 6:52 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), MediaWiki-extensions-OAuth
sbassett removed projects from T247531: SpecialMWOAuthManageMyGrants: Call to a member function getConsumerKey() on boolean: Security, Security-Team.
Thu, Mar 12, 6:52 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), MediaWiki-extensions-OAuth

Wed, Mar 11

sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Wed, Mar 11, 9:47 PM · user-sbassett, Security-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Wed, Mar 11, 9:46 PM · user-sbassett, Security-Team
sbassett updated the task description for T247468: Delete gerrit repository wikimedia/security/automated-scanning.
Wed, Mar 11, 9:46 PM · Projects-Cleanup, Release-Engineering-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Wed, Mar 11, 9:45 PM · user-sbassett, Security-Team
sbassett added a parent task for T247468: Delete gerrit repository wikimedia/security/automated-scanning: T246392: Reconfigure wikimedia/security/tooling git repository.
Wed, Mar 11, 9:44 PM · Projects-Cleanup, Release-Engineering-Team
sbassett added a subtask for T246392: Reconfigure wikimedia/security/tooling git repository: T247468: Delete gerrit repository wikimedia/security/automated-scanning.
Wed, Mar 11, 9:44 PM · user-sbassett, Security-Team
sbassett updated the task description for T247468: Delete gerrit repository wikimedia/security/automated-scanning.
Wed, Mar 11, 9:44 PM · Projects-Cleanup, Release-Engineering-Team
sbassett created T247468: Delete gerrit repository wikimedia/security/automated-scanning.
Wed, Mar 11, 9:43 PM · Projects-Cleanup, Release-Engineering-Team
sbassett updated the task description for T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning.
Wed, Mar 11, 7:26 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett added a comment to T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning.

From a very quick look, it may be caused by the 'parentheses' message not being escaped in formatRow. It's probably worth a try. (Note: I didn't check what's the effect of changing text() to escaped() on the params)

Wed, Mar 11, 7:22 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking

Tue, Mar 10

sbassett moved T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning from Backlog to In Progress on the user-sbassett board.
Tue, Mar 10, 10:52 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett moved T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning from Backlog to Wikimedia deployed on the phan-taint-check-plugin board.
Tue, Mar 10, 10:52 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett added a project to T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning: user-sbassett.
Tue, Mar 10, 10:52 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett updated the task description for T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning.
Tue, Mar 10, 10:51 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett updated the task description for T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning.
Tue, Mar 10, 10:50 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett updated subscribers of T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning.
Tue, Mar 10, 10:34 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett claimed T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning.
Tue, Mar 10, 10:34 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett created T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning.
Tue, Mar 10, 10:33 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), user-sbassett, phan-taint-check-plugin, Security, GlobalBlocking
sbassett added a project to T247348: MediaWiki does not correctly recognize the mime type of exe files: Security.
Tue, Mar 10, 7:42 PM · Patch-For-Review, Security, MediaWiki-Uploading
sbassett removed a project from T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534): Patch-For-Review.
Tue, Mar 10, 5:33 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking
sbassett edited projects for T246949: Security Review Request for MW Chameleon Skin, added: Security Readiness Reviews; removed Security-Team.
Tue, Mar 10, 3:12 PM · CPT Initiatives (API Gateway), secscrum, Security Readiness Reviews, Core Platform Team, RFS
sbassett added a comment to T245746: Font in Device.

Note: this would likely be called out as an issue in T240869, when that is completed. We currently anticipate our vendor to begin the security review around March 13th, 2020.

Tue, Mar 10, 2:25 PM · Privacy, Privacy Engineering, Inuka-Team (Kanban), KaiOS-Wikipedia-app
sbassett added a comment to T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).

Noting GlobalBlocking is not bundled, and it's not a core patch...

Tue, Mar 10, 2:16 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking
sbassett added a parent task for T240502: Raw HTML in MobileFrontend: T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).
Tue, Mar 10, 2:15 PM · Security, Readers-Web-Backlog (Kanbanana-2019-20-Q3), MobileFrontend
sbassett added a parent task for T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163): T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).
Tue, Mar 10, 2:15 PM · Security, Vuln-XSS, Security-Team, Structured-Data-Backlog (Current Work), Structured Data Engineering, WikibaseMediaInfo
sbassett added a parent task for T245850: Invoking any namespaced page with {{#widget:}} will run the page's contents as a widget; even if the page is not in Widget namespace (CVE-2020-9382): T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).
Tue, Mar 10, 2:15 PM · MediaWiki-extensions-Widgets, MediaWiki-General, Security
sbassett added subtasks for T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1): T240502: Raw HTML in MobileFrontend, T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163), T245850: Invoking any namespaced page with {{#widget:}} will run the page's contents as a widget; even if the page is not in Widget namespace (CVE-2020-9382).
Tue, Mar 10, 2:15 PM · Security, MediaWiki-Releasing, user-sbassett

Fri, Mar 6

sbassett changed the status of T246392: Reconfigure wikimedia/security/tooling git repository from Stalled to Open.
Fri, Mar 6, 10:41 PM · user-sbassett, Security-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Fri, Mar 6, 10:41 PM · user-sbassett, Security-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Fri, Mar 6, 10:39 PM · user-sbassett, Security-Team
sbassett moved T247136: 'forge committer' permission request on wikimedia/security and sub-repos from Incoming to Our Part Is Done on the Security-Team board.
Fri, Mar 6, 10:38 PM · Security-Team, Gerrit, Release-Engineering-Team
sbassett closed T247136: 'forge committer' permission request on wikimedia/security and sub-repos as Resolved.

Works! Thanks.

Fri, Mar 6, 10:38 PM · Security-Team, Gerrit, Release-Engineering-Team
sbassett changed the status of T246392: Reconfigure wikimedia/security/tooling git repository from Open to Stalled.

Stalling until T247136 is resolved.

Fri, Mar 6, 10:31 PM · user-sbassett, Security-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Fri, Mar 6, 10:30 PM · user-sbassett, Security-Team
sbassett created T247136: 'forge committer' permission request on wikimedia/security and sub-repos.
Fri, Mar 6, 10:27 PM · Security-Team, Gerrit, Release-Engineering-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Fri, Mar 6, 10:21 PM · user-sbassett, Security-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Fri, Mar 6, 10:02 PM · user-sbassett, Security-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Fri, Mar 6, 9:34 PM · user-sbassett, Security-Team
sbassett added a comment to T246392: Reconfigure wikimedia/security/tooling git repository.

Commands used to create new repos, per doc:

  1. ssh -p 29418 gerrit.wikimedia.org gerrit create-project --require-change-id --owner=wikimedia-security --parent=wikimedia/security --description='"Repository for Deployer Audit tool"' wikimedia/security/deployer-audit
  2. ssh -p 29418 gerrit.wikimedia.org gerrit create-project --require-change-id --owner=wikimedia-security --parent=wikimedia/security --description='"Repository for Git Monitor tool"' wikimedia/security/gitmonitor
  3. ssh -p 29418 gerrit.wikimedia.org gerrit create-project --require-change-id --owner=wikimedia-security --parent=wikimedia/security --description='"Repository for PHP Security Tools"' wikimedia/security/php-security-tools
  4. ssh -p 29418 gerrit.wikimedia.org gerrit create-project --require-change-id --owner=wikimedia-security --parent=wikimedia/security --description='"Repository for Spam Accounts Statistics tool"' wikimedia/security/spamaccountstats
  5. ssh -p 29418 gerrit.wikimedia.org gerrit create-project --require-change-id --owner=wikimedia-security --parent=wikimedia/security --description='"Repository for Gerrit and Phabricator User Tracker tool"' wikimedia/security/usertracker
Fri, Mar 6, 9:22 PM · user-sbassett, Security-Team
sbassett updated the task description for T246392: Reconfigure wikimedia/security/tooling git repository.
Fri, Mar 6, 9:11 PM · user-sbassett, Security-Team
sbassett added a comment to T234104: PageTriage: Api allows spamming users with notifications.

Can I be added to T240393 please?

Fri, Mar 6, 7:43 PM · Security-Team, Growth-Team, PageCuration, User-DannyS712
sbassett updated subscribers of T240393: Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1.
Fri, Mar 6, 7:42 PM · Security, MediaWiki-Releasing
sbassett closed Restricted Task, a subtask of T240472: Security review for the DiscussionTools extension, as Resolved.
Fri, Mar 6, 7:16 PM · secscrum, Security Readiness Reviews, Editing-team, DiscussionTools
sbassett closed T234104: PageTriage: Api allows spamming users with notifications as Resolved.

Great, lets let it go out next week before we make this task public, just to be safe. Since the security issue was resolved via a nondescript gerrit patch, I don't think this needs to be held or anything for the next security release (T240393), though not sure if @Reedy would want to include mention of it there or not.

Fri, Mar 6, 7:14 PM · Security-Team, Growth-Team, PageCuration, User-DannyS712