Page MenuHomePhabricator

sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Wednesday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (40 w, 5 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Recent Activity

Sat, Jun 22

sbassett updated subscribers of T212667: Create mitigations for account creation spam attack [public task].

The weekly security deployment window is 21:00–23:00 UTC. If it can wait until then (I'd guess it could?) @Reedy or I can deploy it.

Sat, Jun 22, 3:45 AM · Patch-For-Review, Security-Team, Wikimedia-Site-requests
sbassett triaged T212667: Create mitigations for account creation spam attack [public task] as Normal priority.
Sat, Jun 22, 3:33 AM · Patch-For-Review, Security-Team, Wikimedia-Site-requests
sbassett added a comment to T212667: Create mitigations for account creation spam attack [public task].

@JJMC89 - Given how this was done and @Bawolff's note about it only being a temporary mitigation to be reverted after a week (back when it was implemented on December 29th, 2018), I believe fe72284c5920 should be reverted. As for changing wgAccountCreationThrottle from 6 to 10 - the rate of 6 has been in place for quite a long time, it seems: 015f5b7131ee. I have no idea what the wisdom was behind that change (long before my time), but IMO I'd think it better to be cautious and limit such a change to enwiki only, for now, if it were decided that a rate of 6 wasn't sufficient for the account creator rights discussion.

Sat, Jun 22, 3:33 AM · Patch-For-Review, Security-Team, Wikimedia-Site-requests

Fri, Jun 21

sbassett closed T225347: When downloading from git using HTTPS: HTTP 500 / GnuTLS recv error (-110) as Resolved.
Fri, Jun 21, 8:35 PM · Traffic, Operations, Gerrit
sbassett added a comment to T225347: When downloading from git using HTTPS: HTTP 500 / GnuTLS recv error (-110).

Apologies for the delay on a response to this issue. Due to an ongoing security incident [0], certain IP ranges continue to be restricted from accessing various Wikimedia development tools. We realize the incredible inconvenience this places upon legitimate Wikimedia developers affected by these restrictions, but we cannot provide a date by which these restrictions will be removed at this time. In the interim, we can offer a couple of workarounds:

Fri, Jun 21, 4:18 PM · Traffic, Operations, Gerrit
sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

@WMDE-leszek limited deployment on test.wikipedia.org of the Termbox service should be fine. Just out of curiosity, is there a more longterm deployment strategy and timeline for rolling out the Termbox service on anything outside of test/beta wikis and wikidata.org?

Fri, Jun 21, 2:55 PM · Security-Team-Review-Active
sbassett triaged T207344: Phan-taint-check-plugin not available for PHP > 7.0 as Normal priority.

@Daimona @Jdforrester-WMF - apologies for the disappearing act from the Security-Team on this. @Bawolff and I have been working through some of the outstanding patch sets in Gerrit for the plugin and hope to make good progress on them this week and next. I'm optimistic we can have a proper 2.x release once that work is completed and have it ready for CI shortly after that. I'll plan to provide another update here next week.

Fri, Jun 21, 2:27 PM · Security-Team, Release-Engineering-Team (Kanban), phan-taint-check-plugin

Tue, Jun 18

sbassett added a comment to T127640: Re-evaluate our use of Phabricator Conpherence chat.

@revi - I think you can just sign up with an email, google or github account here: https://wikimedia.zulipchat.com/register/. Once you have an account, we should set up a stewards/secteam channel and try to add everyone else.

Tue, Jun 18, 1:57 PM · Developer-Advocacy (Jul-Sep 2019), Phabricator

Mon, Jun 17

sbassett added a comment to T127640: Re-evaluate our use of Phabricator Conpherence chat.

Ok, thanks, @srishakatux!

Mon, Jun 17, 8:10 PM · Developer-Advocacy (Jul-Sep 2019), Phabricator
sbassett added a comment to T127640: Re-evaluate our use of Phabricator Conpherence chat.

@Aklapper - just registered one w/ my wikimedia.org email address.

Mon, Jun 17, 5:31 PM · Developer-Advocacy (Jul-Sep 2019), Phabricator
sbassett added a comment to T127640: Re-evaluate our use of Phabricator Conpherence chat.

@chasemp @revi @Aklapper - just FYI, we're still actively discussing this within the stewards/Security-Team conpherence chat. Could someone on the Security-Team get administrative access to Zulip so that we could set up a secure test chat there to evaluate as an alternative? Or can I file a bug for someone with Zulip admin access to do that? Right now, Zulip seems like it might be the most promising alternative for the stewards/Security-Team use case.

Mon, Jun 17, 4:08 PM · Developer-Advocacy (Jul-Sep 2019), Phabricator

Thu, Jun 13

sbassett triaged T225321: Parameters to Special:Code allows to prefill the textarea for a comment reply with unsafe user input as Normal priority.
Thu, Jun 13, 9:31 PM · MW-1.34-notes (1.34.0-wmf.10; 2019-06-18), Release-Engineering-Team, MediaWiki-extensions-CodeReview, Security

Wed, Jun 12

sbassett reassigned T201492: Security review for FormWizard extension from Bawolff-alt to Bawolff.
Wed, Jun 12, 6:30 PM · Security-Team-Review-Active, FormWizard
sbassett moved T219831: Security Review For Kask from Next (Ready) to Archive on the Security-Team-Reviews board.
Wed, Jun 12, 6:28 PM · Security-Team-Reviews, Services (watching), Core Platform Team Backlog (Watching / External), Core Platform Team (Session Management Service (CDP2)), User-Clarakosi, User-Eevans
sbassett moved T221907: Security Concept Review For Parsoid-PHP from Next (Ready) to Archive on the Security-Team-Reviews board.
Wed, Jun 12, 6:28 PM · Security-Team-Reviews, Parsoid-PHP
sbassett edited projects for T221907: Security Concept Review For Parsoid-PHP, added: Security-Team-Reviews; removed Security-Team-Review-Active.
Wed, Jun 12, 6:28 PM · Security-Team-Reviews, Parsoid-PHP
sbassett edited projects for T219831: Security Review For Kask, added: Security-Team-Reviews; removed Patch-For-Review, Security-Team-Review-Active.
Wed, Jun 12, 6:28 PM · Security-Team-Reviews, Services (watching), Core Platform Team Backlog (Watching / External), Core Platform Team (Session Management Service (CDP2)), User-Clarakosi, User-Eevans
sbassett closed T221907: Security Concept Review For Parsoid-PHP as Resolved.

The Security-Team is fine with this from a conceptual point of view. I'm going to resolve this task for now in favor of the incoming MW REST API and Parsoid-PHP security review requests to be submitted by @EvanProdromou and @ssastry, respectively.

Wed, Jun 12, 6:27 PM · Security-Team-Reviews, Parsoid-PHP
sbassett moved T221907: Security Concept Review For Parsoid-PHP from Waiting On Response/Mitigation to In Progress (Min Weekly Updates) on the Security-Team-Review-Active board.
Wed, Jun 12, 4:21 PM · Security-Team-Reviews, Parsoid-PHP
sbassett moved T221907: Security Concept Review For Parsoid-PHP from In Progress (Min Weekly Updates) to Waiting On Response/Mitigation on the Security-Team-Review-Active board.
Wed, Jun 12, 4:21 PM · Security-Team-Reviews, Parsoid-PHP

Tue, Jun 11

sbassett added a comment to T216419: Security review - Wikibase Termbox Front End.

@WMDE-leszek, @RazShuty - update: @JBennett is currently reviewing the risk ownership and risk register entry for this project. We should have an update on how the Security-Team would like to proceed with this shortly. In the meantime, if this is blocking deployment or anything else, please let me know on-task. Thanks for your patience.

Tue, Jun 11, 7:47 PM · Security-Team-Review-Active
sbassett added a comment to T219831: Security Review For Kask.

@Eevans - I'm not seeing anything for this particular review, though I might dig a little deeper into the code and attempt some dynamic-scanning this week, as mentioned in T219831#5173498. But none of this should block resolving the task or deployment IMO.

Tue, Jun 11, 7:40 PM · Security-Team-Reviews, Services (watching), Core Platform Team Backlog (Watching / External), Core Platform Team (Session Management Service (CDP2)), User-Clarakosi, User-Eevans
sbassett assigned T201492: Security review for FormWizard extension to Bawolff-alt.
Tue, Jun 11, 7:25 PM · Security-Team-Review-Active, FormWizard
sbassett claimed T221907: Security Concept Review For Parsoid-PHP.
Tue, Jun 11, 7:25 PM · Security-Team-Reviews, Parsoid-PHP
sbassett moved T221477: Develop "security testing toolboxes" for manual security reviews, push to wikimedia/security/tooling repo from Backlog to In Progress on the Security-Team board.
Tue, Jun 11, 7:24 PM · Security-Team
sbassett moved T75953: RFC: MediaWiki HTTPS policy from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:22 PM · MediaWiki-Configuration, Security-Team, TechCom-RFC
sbassett moved T88393: Store unsampled API and XFF logs from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:22 PM · Operations, procurement, Security-Team, Release-Engineering-Team, MediaWiki-Debug-Logger
sbassett moved T94060: PSR-9 involvement from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team, Security-Other
sbassett moved T95714: Allow the production cluster to access *.wmflabs.org IPs from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Operations, Security-Team
sbassett moved T97653: Give Mark Holmquist security task access from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team, Phabricator
sbassett moved T98255: Security planning for Community Tech from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team
sbassett moved T98256: Security planning for Infrastructure from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team
sbassett moved T98258: Security planning for Analytics from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team
sbassett moved T98259: Security planning for Release Engineering from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team
sbassett moved T98260: Security planning for Services from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team
sbassett moved T98261: Security planning for Ops from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team
sbassett moved T76563: A direct way to submit a security report as a private task from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:21 PM · Security-Team, Phabricator
sbassett moved T88083: Mobile apps users should not be shown captchas when creating accounts from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:20 PM · iOS-app-feature-Login, Security-Team, Mobile-Apps, ConfirmEdit (CAPTCHA extension), MediaWiki-API, Wikipedia-Android-App-Backlog, Wikipedia-iOS-App-Backlog
sbassett moved T85862: Make iSec assessment public from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:20 PM · Security-Team
sbassett moved T86049: Security recommendations for new services from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:20 PM · Security-Team, MediaWiki-Developer-Summit-2015, Services
sbassett moved T787: Security review of community extensions: Extension:AtomExporter, Extension:DownloadCounter, Extension:PasswordProtected from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:20 PM · Security-Team, Security-Team-Reviews
sbassett moved T90033: Support 1password for login from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:20 PM · WorkType-NewFunctionality, Security-Team, Wikipedia-iOS-App-Backlog
sbassett moved T1390: Tags for security bugs from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:20 PM · Security-Team, Vuln-XSS, Vuln-Inject, Vuln-Infoleak, Vuln-CSRF, Project-Admins
sbassett moved T99680: Login screen should have a display password checkbox from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:20 PM · WorkType-NewFunctionality, Security-Team-Reviews, Mobile-App-Sprint-64-Android-Gadolinium, Patch-For-Review, Security-Team, Wikipedia-Android-App-Backlog
sbassett moved T102649: Ex:WikibaseQuality - Needs to escape output by default from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:20 PM · Patch-For-Review, Wikibase-Quality, Security-Team-Reviews, Wikidata, Security-Team
sbassett moved T103633: Ex:WikibaseQualityExternalValidation - SpecialExternalDbs escape or don't use raw cells from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:19 PM · Patch-For-Review, Wikibase-Quality-External-Validation, Security-Team-Reviews, Wikidata, Security-Team, Wikibase-Quality
sbassett moved T103818: [Task] Security review of Wikibase-Quality master from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:19 PM · Wikibase-Quality, Security-Team-Reviews, Wikidata, Security-Team
sbassett moved T103819: [Task] Security review of Wikibase-Quality-Constraints - master branch from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:19 PM · Security-Team-Reviews, Wikibase-Quality-Constraints, Wikidata, Security-Team, Wikibase-Quality
sbassett moved T103822: [Task] Security review of Wikibase-Quality-External-Validation branch master from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:18 PM · Wikibase-Quality-External-Validation, Security-Team-Reviews, Wikidata, Security-Team, Wikibase-Quality
sbassett moved T72181: Setup a dedicated mediawiki host in Beta Cluster that we can use for security scanning from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:18 PM · RelEng-Archive-FY201718-Q1, Operations, WorkType-NewFunctionality, Scrum-of-Scrums, Security-Team, Patch-For-Review, Blocked-on-Operations, Puppet, Beta-Cluster-Infrastructure
sbassett moved T103905: Ex:WikibaseQualityExternalValidation - rate limit Special:CrossCheck from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:18 PM · Patch-For-Review, Wikibase-Quality-External-Validation, Security-Team-Reviews, Wikidata, Security-Team, Wikibase-Quality
sbassett moved T104371: Strengthen password policy for Stewards from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:18 PM · Patch-For-Review, Stewards-and-global-tools, Wikimedia-Site-requests, Security-General, Security-Team
sbassett moved T104372: Strengthen password policy for Ombudsmen from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:18 PM · Patch-For-Review, Security-Team, Security-General
sbassett moved T104373: Strengthen password policy for Checkusers from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:18 PM · Security-Team, Security-General
sbassett moved T104615: Some account creations causing exceptions from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:18 PM · MW-1.27-release (WMF-deploy-2015-11-10_(1.27.0-wmf.6)), WMF-deploy-2015-07-21_(1.26wmf15), WMF-deploy-2015-07-14_(1.26wmf14), MW-1.26-release, WMF-deploy-2015-07-07_(1.26wmf13), WMF-deploy-2015-06-30_(1.26wmf12), Patch-For-Review, MediaWiki-extensions-CentralAuth, Security-Team
sbassett moved T104913: Improve RESTBase CSP headers: use 'self' instead of *, allow inline styles for sanitized content from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:18 PM · Security-Team, Parsoid, Security-General, RESTBase
sbassett moved T105533: Security Roadmap July - Sept 2015 (Q1 2015/2016) from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:17 PM · Security-Team
sbassett moved T97869: Review access to security tasks from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:17 PM · Security-Team
Restricted Application added a project to T108632: http://citoid.wikimedia.org/ should force HTTPS: User-Ryasmeen.
Tue, Jun 11, 7:17 PM · User-Ryasmeen, VisualEditor, Operations, Security, Traffic, HTTPS, HTTPS-by-default, Security-Team, Citoid
sbassett moved T108138: Sysops can undelete pages, although the page is protected against it from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:17 PM · MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)), MW-1.29-release-notes, Patch-For-Review, Security-Team, Security, MediaWiki-Page-deletion, MediaWiki-Page-protection
sbassett moved T104147: can we get rid of rsvg security patch? from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:17 PM · Operations, Security-Team
sbassett moved T109002: Add EBernhardson to Security group from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:16 PM · Security-Team
sbassett moved T108978: Add $wgAllowSiteJSOnRestrictedPages to allow JS on restricted special pages from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:16 PM · MediaWiki-Interface, Security-Team
sbassett moved T108702: Security review for tedivm/jshrink from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:15 PM · Security-Team, Security, Security-Team-Reviews, MediaWiki-Vendor
sbassett moved T109102: Investigate / test hardware tokens for WMF identity key from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:15 PM · Security-Team
sbassett moved T109106: Document task prioritization (bug triage) process of WMF Security Team from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:15 PM · Documentation, Security-Team
sbassett moved T109524: DFIR process documented on officewiki from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:15 PM · Security-Team
sbassett moved T109968: List #Security subprojects (e.g. Vuln-*) in Phabricator project description from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:13 PM · Project-Admins, Security-Team
sbassett moved T110617: Goal: Implement static code analysis for security from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:13 PM · Goal, Security-Team
sbassett moved T112792: Security review for cross-wiki aspects of Echo notifications from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:13 PM · Security-Team-Reviews, Security-Team, Collaboration-Team-Triage, Notifications
sbassett moved T112793: Security review for Flow new structured workflow feature from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:13 PM · Security-Team-Reviews, Security-Team, Collaboration-Team-Triage, StructuredDiscussions
sbassett moved T113290: Secure code training for FrTech - Spring 2016 from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:13 PM · Security-Team
sbassett moved T117899: XSS from wikitext when $wgArticlePath='$1' from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:13 PM · Security-Team, Security, MediaWiki-Parser, Vuln-XSS
sbassett moved T118466: Security review of RevisionJumper from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:13 PM · Security-Team, Security-Team-Reviews
sbassett moved T60462: Gadgets enabled by default should be held to a higher level of quality from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:12 PM · Security-Team, JavaScript, Wikimedia-General-or-Unknown
sbassett moved T56713: Non-NDA users cannot access graphite.wikimedia.org from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:12 PM · Security-Team, Operations, Wikimedia-General-or-Unknown
sbassett moved T120212: Security review of EventBus extension from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:12 PM · Analytics, Security-Team, Security-Team-Reviews, EventBus, Services
sbassett moved T120495: Major overhaul to Special reports from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:12 PM · Security-Team, MediaWiki-Special-pages, Community-Wishlist-Survey-2015
sbassett moved T120886: Make javascript editing permissions more fine grained and separate from normal editinterface right from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:12 PM · Patch-For-Review, Gadgets-2.0, Security-Team
sbassett moved T121046: Automatically submit weekly core deployment branch (+skins, +vendor) to Veracode from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:11 PM · Security-Team
sbassett moved T204853: Security Issue Access Request for MBinder_WMF from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:10 PM · Security-Team, Security
sbassett moved T121175: Implement password age password policy check from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:10 PM · Security-Team, MediaWiki-User-login-and-signup
sbassett moved T121179: Implement password complexity password policy check from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:10 PM · Security-Team, MediaWiki-User-login-and-signup
sbassett moved T122013: Investigate additional password reset methods (apart from email) from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:10 PM · Security-Team, MediaWiki-General-or-Unknown
sbassett moved T121355: Sometimes Citoid API returns null authors when using format mediawiki from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:10 PM · Security-Team, Citoid
sbassett moved T122123: Send echo notification to user of how many failed logins there was since last successful login from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · Collaboration-Team-Triage, Notifications, Security-Team
sbassett moved T122164: Better limitation on number of password guesses people can make from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · MW-1.27-release (WMF-deploy-2016-03-15_(1.27.0-wmf.17)), ConfirmEdit (CAPTCHA extension), MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2016-03-01_(1.27.0-wmf.15)), Patch-For-Review, Security, Security-Team
sbassett moved T122721: Add localhost to $wgCrossSiteAJAXdomains from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · Security-Team, Wikimedia-Site-requests
sbassett moved T123753: Establish retrospective reports for #security and #performance incidents from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · Documentation, Security-Team, Performance-Team
sbassett moved T124421: Response to api.php?action=login on Wikimedia wikis has some seriously sick Set-Cookie headings from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · MW-1.27-release (WMF-deploy-2016-01-19_(1.27.0-wmf.11)), MediaWiki-User-login-and-signup, MW-1.27-release (WMF-deploy-2016-02-02_(1.27.0-wmf.12)), MW-1.27-release-notes, Patch-For-Review, Security-Team, Wikimedia-General-or-Unknown
sbassett moved T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812) from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · MW-1.29-release-notes, Patch-For-Review, MediaWiki-Language-converter, Security, Security-Team
sbassett moved T126544: Update openvas-manager 6.0.7 package for gnutls issue from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · Security-Team
sbassett moved T126685: Globally throttle password attempts from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · Patch-For-Review, Security-Team, Security
sbassett moved T125290: CentralAuthUser::validateAuthToken should use constant-time string comparison from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · MW-1.27-release (WMF-deploy-2016-04-26_(1.27.0-wmf.22)), Security-Team, Patch-For-Review, Security, Security-Extensions, MediaWiki-extensions-CentralAuth
sbassett moved T130233: [Review] using Wheels for deployment (signing?) from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:08 PM · ORES, Scoring-platform-team (Current), Security-Team-Reviews, Security-Team
sbassett moved T130396: Add restbase test url to ZAP seeding from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:07 PM · Security-Team
sbassett moved T130649: Procure *.tools.wmflabs.org certificate from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:07 PM · Cloud-Services, Toolforge, Security-Team
sbassett moved T130740: Additional error handling needed in OATHAuthHooks::schemaUpdateOldUsers from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:07 PM · Security-Team, MediaWiki-extensions-OATHAuth
sbassett moved T130741: Back button allows access to scratch tokens and previously submitted token immediately after two-factor enrollment from Backlog to Done on the Security-Team board.
Tue, Jun 11, 7:07 PM · Security-Team, MediaWiki-extensions-OATHAuth
sbassett updated subscribers of T225554: Onboard Jennifer Cross to Security Team as Project Manager (May 24th).
Tue, Jun 11, 7:06 PM · Security-Team