Page MenuHomePhabricator

sbassett (Scott Bassett)
Staff Security Architect

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (144 w, 6 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.

Recent Activity

Yesterday

sbassett triaged T280644: Security Readiness Review For mapbox-gl-rtl-text as Lowest priority.

Per @MSantos above - setting to lowest, stalled and back ordered for now, until we have a clearer idea on if this library will be used in Wikimedia production and if risk will be accepted or mitigated by the ostensible maintainers.

Tue, Jun 22, 3:52 PM · secscrum, Maps (Kartographer), Product-Infrastructure-Team-Backlog, Security, Security Readiness Reviews

Mon, Jun 21

sbassett updated the task description for T285272: List of valid and invalid security bug report topics.
Mon, Jun 21, 9:22 PM · Patch-For-Review, Documentation, Security, Security-Team
sbassett awarded T285272: List of valid and invalid security bug report topics a Like token.
Mon, Jun 21, 9:14 PM · Patch-For-Review, Documentation, Security, Security-Team
sbassett moved T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users from Watching to Our Part Is Done on the Security-Team board.
Mon, Jun 21, 8:13 PM · Security-Team, VisualEditor, Vuln-Infoleak, User-DannyS712, Security
sbassett moved T276306: CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users from Watching to Our Part Is Done on the Security-Team board.
Mon, Jun 21, 8:11 PM · MW-1.36-notes, MW-1.37-notes (1.37.0-wmf.1; 2021-04-13), User-Majavah, MediaWiki-Special-pages, MediaWiki-Blocks, Vuln-Infoleak, Security, Security-Team
sbassett moved T213933: PoC alert/notification functionality with Elastic Stack from Frozen to Our Part Is Done on the Security-Team board.
Mon, Jun 21, 2:20 PM · observability, Restricted Project, Security-Team, Wikimedia-Logstash
sbassett moved T213933: PoC alert/notification functionality with Elastic Stack from Back Orders to Frozen on the Security-Team board.
Mon, Jun 21, 2:19 PM · observability, Restricted Project, Security-Team, Wikimedia-Logstash

Thu, Jun 17

sbassett triaged T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13) as Low priority.
Thu, Jun 17, 3:52 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security
sbassett moved T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13) from Watching to Our Part Is Done on the Security-Team board.
Thu, Jun 17, 3:51 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security
sbassett moved T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13) from Backlog to Triaged on the Event Metrics board.
Thu, Jun 17, 3:51 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security
sbassett awarded T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13) a Like token.
Thu, Jun 17, 3:51 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security

Tue, Jun 15

sbassett added a comment to T281527: Security Readiness Review For Vue composition API plugin.

There are only release candidates for version 1, which means code is constantly changing and hard to ensure project stability. It would be ideal to make sure once the 1.0 release is available, another follow up security review should be done to ensure there aren't any security issues.

Tue, Jun 15, 6:46 PM · Patch-For-Review, Design-Systems-team-board, secscrum, Security, Security Readiness Reviews

Mon, Jun 14

sbassett renamed T284833: Vendor Review For Tray.io from Supplier Review For Tray.io (Vendor Review) to Vendor Review For Tray.io.
Mon, Jun 14, 3:47 PM · SecTeam-Processed, Security Supplier Assessments, Security-Team, Security
sbassett moved T284833: Vendor Review For Tray.io from Incoming to Back Orders on the Security-Team board.
Mon, Jun 14, 3:46 PM · SecTeam-Processed, Security Supplier Assessments, Security-Team, Security
sbassett added a project to T284137: Allow federated queries with the Lingua Libre SPARQL endpoint: SecTeam-Processed.
Mon, Jun 14, 3:45 PM · SecTeam-Processed, Security, Discovery-Search (Current work), Wikidata, Commons, SDC General, Lingua Libre, Wikidata-Query-Service
sbassett added a project to T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13): SecTeam-Processed.
Mon, Jun 14, 3:44 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security
sbassett moved T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13) from Incoming to Watching on the Security-Team board.
Mon, Jun 14, 3:43 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security
sbassett removed a project from T284137: Allow federated queries with the Lingua Libre SPARQL endpoint: Security-Team.
Mon, Jun 14, 3:38 PM · SecTeam-Processed, Security, Discovery-Search (Current work), Wikidata, Commons, SDC General, Lingua Libre, Wikidata-Query-Service
sbassett renamed T284833: Vendor Review For Tray.io from Security Readiness Review For Tray.io (Vendor Review) to Supplier Review For Tray.io (Vendor Review).
Mon, Jun 14, 3:35 PM · SecTeam-Processed, Security Supplier Assessments, Security-Team, Security

Fri, Jun 11

sbassett changed Impacted from wikimedia/eventmetric to wikimedia/eventmetrics on T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13).
Fri, Jun 11, 7:57 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security
sbassett added a project to T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13): Vuln-VulnComponent.
Fri, Jun 11, 7:57 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security
sbassett created T284840: wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13).
Fri, Jun 11, 7:55 PM · Community-Tech (CommTech-Sprint-2), SecTeam-Processed, Event Metrics, Vuln-VulnComponent, Security-Team, Security
sbassett added a comment to T284137: Allow federated queries with the Lingua Libre SPARQL endpoint.

Indeed, this task can become public. @Aklapper: could you remove the protection of this task?

Fri, Jun 11, 2:59 PM · SecTeam-Processed, Security, Discovery-Search (Current work), Wikidata, Commons, SDC General, Lingua Libre, Wikidata-Query-Service
sbassett changed the visibility for T284137: Allow federated queries with the Lingua Libre SPARQL endpoint.
Fri, Jun 11, 2:57 PM · SecTeam-Processed, Security, Discovery-Search (Current work), Wikidata, Commons, SDC General, Lingua Libre, Wikidata-Query-Service

Thu, Jun 10

sbassett added a comment to T281527: Security Readiness Review For Vue composition API plugin.

Cool, thanks for the update, @Catrope. @Mstyles and I discussed this review today and I believe she plans on posting the report deliverable within the next day or so.

Thu, Jun 10, 8:41 PM · Patch-For-Review, Design-Systems-team-board, secscrum, Security, Security Readiness Reviews

Wed, Jun 9

sbassett added a comment to T133735: Formalize procedures for doing security releases of MediaWiki extensions.

I've been sending supplemental security announcements for about a year and a half now with each quarterly-ish security release of core and bundled extensions/skins. This provides some... eventual visibility and disclosure for security issues related to non-bundled extensions and skins. There's also T101017, which the Security-Team had wanted to generalize to any user interested in such access (and not just the specific user within that task description), though that task has been de-prioritized for now. I would assume that if a general process is ever documented and implemented for T101017, that plus the continued supplemental announcements should likely be a good effort to better our security disclosures for non-bundled extensions and skins, though I think the Security-Team would be open to any other reasonable suggestions.

Wed, Jun 9, 7:29 PM · Documentation, Security-Team

Tue, Jun 8

sbassett moved T284543: Please add Jelto to security@wikimedia.org mailing list from In Progress to Our Part Is Done on the Security-Team board.
Tue, Jun 8, 4:38 PM · SecTeam-Processed, Security-Team
sbassett moved T284341: Security Readiness Review For Vite from Incoming to Back Orders on the secscrum board.
Tue, Jun 8, 3:53 PM · Design-Systems-team-board (Vue.js Migration Team Radar), Security, secscrum, Security Readiness Reviews
sbassett moved T284338: Security Readiness Review For Rollup.js from Incoming to Back Orders on the secscrum board.
Tue, Jun 8, 3:53 PM · Design-Systems-team-board (Vue.js Migration Team Radar), secscrum, Security, Security Readiness Reviews
sbassett assigned T284543: Please add Jelto to security@wikimedia.org mailing list to Dsharpe.
Tue, Jun 8, 2:46 PM · SecTeam-Processed, Security-Team

Mon, Jun 7

sbassett changed the visibility for T283175: Should WMCS be getting CF protection?.
Mon, Jun 7, 4:50 PM · SRE, SecTeam-Processed, Traffic, Cloud-Services, cloud-services-team (Kanban), Security, Security-Team
sbassett moved T284274: action=history allows for limits as high as 5000, which is probably too high from Incoming to Watching on the Security-Team board.
Mon, Jun 7, 3:49 PM · Platform Team Workboards (Clinic Duty Team), Vuln-DoS, MediaWiki-Page-history, Security, Security-Team
sbassett moved T283175: Should WMCS be getting CF protection? from Incoming to Our Part Is Done on the Security-Team board.

Yep, we can turn it on relatively quickly in an emergency. No monetary cost.

Mon, Jun 7, 3:39 PM · SRE, SecTeam-Processed, Traffic, Cloud-Services, cloud-services-team (Kanban), Security, Security-Team
sbassett edited projects for T284387: Toolforge: dewkin exfiltrates personal data, added: SecTeam-Processed; removed Privacy.
Mon, Jun 7, 3:17 PM · SecTeam-Processed, Tools

Thu, Jun 3

sbassett closed T283987: Replace "Review required by" with "Last reviewed on" info on SOP pages as Resolved.

There is a text search on mediawiki.org. It lists https://www.mediawiki.org/wiki/Security/SOP/Security_Preview as left to do

Thu, Jun 3, 2:43 PM · SecTeam-Processed, Documentation, Security-Team

Wed, Jun 2

sbassett moved T283987: Replace "Review required by" with "Last reviewed on" info on SOP pages from Incoming to Our Part Is Done on the Security-Team board.
Wed, Jun 2, 6:46 PM · SecTeam-Processed, Documentation, Security-Team
sbassett changed the visibility for T283763: ircredirect.toolforge.org tool vulnerable to XSS.
Wed, Jun 2, 3:16 PM · SecTeam-Processed, Vuln-XSS, Tools, Security
sbassett added a comment to T283763: ircredirect.toolforge.org tool vulnerable to XSS.

Ok, I'm going to make this task public since I believe the serious issues (XSSes) have been sufficiently addressed for now.

Wed, Jun 2, 3:16 PM · SecTeam-Processed, Vuln-XSS, Tools, Security

Tue, Jun 1

sbassett added a comment to T283763: ircredirect.toolforge.org tool vulnerable to XSS.

Looking at the patched version, it appears that the XSS for the channel param should be fairly well-defended with htmlspecialchars. I might suggest performing the sanitization closer to the point of output (in the html string) but that's more an auditability concern than anything else.

Tue, Jun 1, 8:10 PM · SecTeam-Processed, Vuln-XSS, Tools, Security
sbassett added a comment to T284090: Disable peek for the Security Team.

Thanks, @MoritzMuehlenhoff.

Tue, Jun 1, 6:02 PM · user-sbassett, Peek, serviceops, Security-Team
sbassett lowered the priority of T284090: Disable peek for the Security Team from Medium to Low.
Tue, Jun 1, 4:59 PM · user-sbassett, Peek, serviceops, Security-Team
sbassett changed the status of T284090: Disable peek for the Security Team from Open to Stalled.

@MoritzMuehlenhoff - ok, sounds good. +1 to the patch above, not sure about that Tox CI error though, seems unrelated to the patch. Would you or another SRE be able to puppet deploy that for us? Regarding a larger decommission of the VM - I'd like to self-assign this task and stall it on a date next quarter. If the Security-Team either decides to decommission the VM by then or hasn't made a decisions by then, we can go ahead and decommission it. Does that sound reasonable?

Tue, Jun 1, 4:58 PM · user-sbassett, Peek, serviceops, Security-Team
sbassett added a comment to T273401: peek does a deprecated API call.

See related decom task: T284090

Tue, Jun 1, 4:46 PM · Peek, SecTeam-Processed, Security-Team
sbassett moved T284090: Disable peek for the Security Team from Incoming to In Progress on the Security-Team board.
Tue, Jun 1, 4:44 PM · user-sbassett, Peek, serviceops, Security-Team
sbassett triaged T284090: Disable peek for the Security Team as Medium priority.
Tue, Jun 1, 4:44 PM · user-sbassett, Peek, serviceops, Security-Team
sbassett added a project to T284090: Disable peek for the Security Team: Peek.
Tue, Jun 1, 4:32 PM · user-sbassett, Peek, serviceops, Security-Team
sbassett created T284090: Disable peek for the Security Team.
Tue, Jun 1, 4:31 PM · user-sbassett, Peek, serviceops, Security-Team
sbassett added a project to T273401: peek does a deprecated API call: Peek.
Tue, Jun 1, 4:18 PM · Peek, SecTeam-Processed, Security-Team
sbassett moved T52864: Upgrade GNU Mailman from 2.1 to Mailman3 from Watching to Our Part Is Done on the Security-Team board.
Tue, Jun 1, 4:01 PM · Security-Team, SRE, Wikimedia-Mailing-lists
sbassett awarded T181803: Stop storing Mailman passwords in plain text a Like token.
Tue, Jun 1, 4:01 PM · Security, Privacy, User-Josve05a, SRE, Wikimedia-Mailing-lists
sbassett moved T283283: Command injection in wikibugs because of outdated irc3 dependency from Watching to Our Part Is Done on the Security-Team board.
Tue, Jun 1, 2:15 PM · Vuln-Inject, Wikibugs, Security, Security-Team
sbassett awarded T283283: Command injection in wikibugs because of outdated irc3 dependency a Like token.
Tue, Jun 1, 2:14 PM · Vuln-Inject, Wikibugs, Security, Security-Team
sbassett edited projects for T283763: ircredirect.toolforge.org tool vulnerable to XSS, added: SecTeam-Processed; removed Security-Team.

@Ahecht - are you comfortable if we make this task public now? We'd only want to do that if all of these issues have been satisfactorily addressed.

Tue, Jun 1, 2:08 PM · SecTeam-Processed, Vuln-XSS, Tools, Security

Thu, May 27

sbassett moved T264822: (MS 7) Security Readiness Review For Wikidata Query Builder from Waiting to In Progress on the secscrum board.
Thu, May 27, 9:03 PM · user-sbassett, secscrum, Security Readiness Reviews, Wikidata Query Builder, Wikidata, Security
sbassett moved T274682: Security Readiness Review For Wikifunctions from Waiting to In Progress on the secscrum board.
Thu, May 27, 9:03 PM · Abstract Wikipedia team (Phase ε), user-sbassett, Security, Security Readiness Reviews, secscrum
sbassett moved T280644: Security Readiness Review For mapbox-gl-rtl-text from In Progress to Waiting on the secscrum board.
Thu, May 27, 9:03 PM · secscrum, Maps (Kartographer), Product-Infrastructure-Team-Backlog, Security, Security Readiness Reviews

Wed, May 26

sbassett changed the visibility for T283616: Special:Investigate UserAgent tab is not populated with logged actions.
Wed, May 26, 7:03 PM · Anti-Harassment, SecTeam-Processed, User-RhinosF1, MW-1.36-release, CheckUser, Security

Tue, May 25

sbassett updated subscribers of T283616: Special:Investigate UserAgent tab is not populated with logged actions.
Tue, May 25, 6:21 PM · Anti-Harassment, SecTeam-Processed, User-RhinosF1, MW-1.36-release, CheckUser, Security
sbassett edited projects for T283616: Special:Investigate UserAgent tab is not populated with logged actions, added: SecTeam-Processed, Anti-Harassment; removed Security-Team.
Tue, May 25, 6:21 PM · Anti-Harassment, SecTeam-Processed, User-RhinosF1, MW-1.36-release, CheckUser, Security
sbassett moved T283346: Provide access to T265845 from Incoming to Our Part Is Done on the Security-Team board.
Tue, May 25, 3:40 PM · SecTeam-Processed, Security-Team
sbassett assigned T283346: Provide access to T265845 to Dsharpe.
Tue, May 25, 2:25 PM · SecTeam-Processed, Security-Team

Mon, May 24

sbassett moved T283283: Command injection in wikibugs because of outdated irc3 dependency from Incoming to Watching on the Security-Team board.
Mon, May 24, 3:57 PM · Vuln-Inject, Wikibugs, Security, Security-Team
sbassett changed the visibility for T258322: Open redirect in wikis that use http://domain.tld/index.php format.
Mon, May 24, 3:50 PM · Vuln-OpenRedirect, Platform Engineering, MediaWiki-General, Security, Security-Team
sbassett added a project to T258322: Open redirect in wikis that use http://domain.tld/index.php format: Vuln-OpenRedirect.

Making this public for now (largely for transparency and disclosure reasons) as it appears to impact very old versions of MediaWiki which are not being run in Wikimedia production, and should be fairly low-risk.

Mon, May 24, 3:50 PM · Vuln-OpenRedirect, Platform Engineering, MediaWiki-General, Security, Security-Team

May 21 2021

sbassett updated the task description for T273220: Deploy StopForumSpam extension to production.
May 21 2021, 7:25 PM · Security-Team, user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
sbassett updated the task description for T273220: Deploy StopForumSpam extension to production.
May 21 2021, 7:24 PM · Security-Team, user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
sbassett closed T266904: Performance review of ext:StopForumSpam, a subtask of T273220: Deploy StopForumSpam extension to production, as Resolved.
May 21 2021, 7:18 PM · Security-Team, user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
sbassett closed T266904: Performance review of ext:StopForumSpam as Resolved.
May 21 2021, 7:18 PM · MW-1.37-notes (1.37.0-wmf.7; 2021-05-25), Performance-Team

May 18 2021

sbassett closed T279690: Enable risk rating field in Phabricator's task form as Resolved.

Task subtypes and fields on a form are different things. Set the "Security Issue" subtype, then edit the task itself.

May 18 2021, 6:55 PM · Phabricator, Security-Team
sbassett moved T279690: Enable risk rating field in Phabricator's task form from In Progress to Our Part Is Done on the Security-Team board.
May 18 2021, 6:55 PM · Phabricator, Security-Team
sbassett triaged T281527: Security Readiness Review For Vue composition API plugin as Medium priority.
May 18 2021, 4:11 PM · Patch-For-Review, Design-Systems-team-board, secscrum, Security, Security Readiness Reviews
sbassett assigned T281527: Security Readiness Review For Vue composition API plugin to Mstyles.

We're going to try to accommodate this review this quarter (Q4 2021) given the visibility and importance of this project. We're going to perform a combination of analyses for this one, with a vendor assessment, a review of Vue's security model and a limited amount of application security analysis.

May 18 2021, 4:11 PM · Patch-For-Review, Design-Systems-team-board, secscrum, Security, Security Readiness Reviews
sbassett added a comment to T274682: Security Readiness Review For Wikifunctions.

Update: The Abstract Wikipedia team and Security-Team worked through the vendor scoping doc on Monday, 2021-05-17 (thanks again, all). This document was then sent along to our vendor PM contact that afternoon. I also owe the vendor our Threat Modeling outline doc and Threat Dragon model for review, which I plan to provide them today or tomorrow.

May 18 2021, 4:06 PM · Abstract Wikipedia team (Phase ε), user-sbassett, Security, Security Readiness Reviews, secscrum
sbassett added a comment to T268341: Possible XSS in SpecialGlobalUsage (CVE-2020-35622).

@Daimona - so looking at the gerrit change set, we'd just need to remove that first htmlspecialchars in your opinion? Basically change this:

$link = WikiMap::makeForeignLink( $item['wiki'], $page,
str_replace( '_', ' ', htmlspecialchars( $page ) ) );
// Return only the title if no link can be constructed
return $link === false ? htmlspecialchars( $page ) : $link;

to:

$link = WikiMap::makeForeignLink( $item['wiki'], $page,
str_replace( '_', ' ', $page ) );
// Return only the title if no link can be constructed
return $link === false ? htmlspecialchars( $page ) : $link;

Also - if we don't really need that underscore faux-normalization, then we shouldn't need the third arg at all, per the docblock:

May 18 2021, 2:57 PM · MW-1.36-notes (1.36.0-wmf.21; 2020-12-08), Vuln-XSS, GlobalUsage, Security, Security-Team

May 17 2021

sbassett removed projects from T247327: Combine RFS forms for Security Readiness Review and other RFS: Security, secscrum.
May 17 2021, 8:50 PM · Security-Team, Security Readiness Reviews
sbassett added a project to T282957: mailman3-web got stuck on lists1001, possible DoS: Upstream.
May 17 2021, 8:42 PM · Upstream, SRE, SecTeam-wikimedia-project-event, SecTeam-Processed, Vuln-DoS, Wikimedia-Mailing-lists, Security
sbassett moved T258322: Open redirect in wikis that use http://domain.tld/index.php format from Watching to Incoming on the Security-Team board.

@Reedy - is this still an issue? https://wow.gamepedia.com/index.php?title=/example.org&action=edit&redlink=1 just redirects to https://wowpedia.fandom.com/wiki//example.org for me in Chrome 90.0.4430.85/MacOS 10.14.6.

May 17 2021, 6:48 PM · Vuln-OpenRedirect, Platform Engineering, MediaWiki-General, Security, Security-Team
sbassett changed the visibility for T263023: XXE Vulnerabilities in tests/phpunit/includes/ExportTest.php.
May 17 2021, 6:44 PM · MediaWiki-Core-Snapshots, Vuln-XXE, MediaWiki-Core-Tests, Security, Security-Team
sbassett moved T263023: XXE Vulnerabilities in tests/phpunit/includes/ExportTest.php from In Progress to Our Part Is Done on the Security-Team board.
May 17 2021, 6:43 PM · MediaWiki-Core-Snapshots, Vuln-XXE, MediaWiki-Core-Tests, Security, Security-Team
sbassett closed T263023: XXE Vulnerabilities in tests/phpunit/includes/ExportTest.php as Resolved.

Calling this resolved (all relevant hardening change sets in gerrit are merged) and making public.

May 17 2021, 6:43 PM · MediaWiki-Core-Snapshots, Vuln-XXE, MediaWiki-Core-Tests, Security, Security-Team
sbassett moved T250715: Drop (and archive?) aft_feedback from Our Part Is Done to Incoming on the Security-Team board.
May 17 2021, 6:23 PM · SecTeam-Processed, Privacy Engineering, Security-Team, DBA
sbassett moved T275704: Fix data inconsistency in cu_log: Remove trailing spaces from Our Part Is Done to Watching on the Security-Team board.
May 17 2021, 6:21 PM · SecTeam-Processed, User-Urbanecm, CheckUser, Security, Security-Team
sbassett moved T264798: CentralAuth should not emit central cookies when creating a local session from Our Part Is Done to Watching on the Security-Team board.
May 17 2021, 6:20 PM · Platform Engineering (Icebox), SecTeam-Processed, Security-Team, MediaWiki-extensions-CentralAuth
sbassett moved T251732: wikiworkshop.org has Facebook button, external statcounter, https to http redirect from Our Part Is Done to Watching on the Security-Team board.
May 17 2021, 6:19 PM · Security-Team, Privacy, Research, Privacy Engineering, Traffic, SRE
sbassett triaged T258322: Open redirect in wikis that use http://domain.tld/index.php format as Medium priority.
May 17 2021, 6:17 PM · Vuln-OpenRedirect, Platform Engineering, MediaWiki-General, Security, Security-Team
sbassett moved T101017: Early security release access for Lcawte (ShoutWiki) from In Progress to Back Orders on the Security-Team board.
May 17 2021, 6:15 PM · Security-Team, ShoutWiki, WMF-Legal
sbassett closed T280590: Special:ImportFile does not check permissions from own config FileImporterRequiredRight as Resolved.
May 17 2021, 5:04 PM · MW-1.37-notes (1.37.0-wmf.4; 2021-05-04), Unplanned-Sprint-Work, WMDE-TechWish-Sprint-2021-04-28, Move-Files-To-Commons, Security, Security-Team
sbassett changed the status of T257836: Publish content on security.wikimedia.org, a subtask of T257830: Create security.wikimedia.org, from Open to Stalled.
May 17 2021, 5:00 PM · Epic, Security-Team
sbassett changed the status of T257836: Publish content on security.wikimedia.org from Open to Stalled.
May 17 2021, 5:00 PM · Security-Team
sbassett removed a project from T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON: Patch-For-Review.
May 17 2021, 4:51 PM · Vuln-Misconfiguration, SecTeam-Processed, MediaWiki-extensions-OAuth, Security, Security-Team
sbassett closed T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON as Resolved.

Looks to be completed with the above change sets merged?

May 17 2021, 4:51 PM · Vuln-Misconfiguration, SecTeam-Processed, MediaWiki-extensions-OAuth, Security, Security-Team
sbassett moved T117618: Add restrictive CSP to upload.wikimedia.org from In Progress to Back Orders on the Security-Team board.
May 17 2021, 4:48 PM · ContentSecurityPolicy, Patch-For-Review, Wikimedia-General-or-Unknown, Traffic, SRE, Security-Team
sbassett moved T118750: Document and test security response process from In Progress to Back Orders on the Security-Team board.
May 17 2021, 4:47 PM · PM, Documentation, Security-Team
sbassett updated subscribers of T227008: Draft golang security best practices documentation.
May 17 2021, 4:41 PM · Security-Team
sbassett moved T227008: Draft golang security best practices documentation from In Progress to Back Orders on the Security-Team board.
May 17 2021, 4:40 PM · Security-Team
sbassett moved T255208: Catalog and evaluate methods of analysis for Wikimedia captcha performance from In Progress to Back Orders on the Security-Team board.
May 17 2021, 4:40 PM · observability, user-sbassett, ConfirmEdit (CAPTCHA extension), Security-Team, Security
sbassett moved T255881: Enable wgBreakFrames across all projects from In Progress to Back Orders on the Security-Team board.
May 17 2021, 4:40 PM · Wikimedia-Site-requests, Security, Security-Team, user-sbassett
sbassett moved T180896: Allow functionaries to reset second factor on low-risk accounts from In Progress to Watching on the Security-Team board.
May 17 2021, 4:37 PM · SecTeam-Processed, Security-Team, Security, MediaWiki-extensions-OATHAuth, Trust-and-Safety, WMF-Legal, MW-1.34-notes (1.34.0-wmf.1; 2019-04-16)
sbassett triaged T256285: Write a script to create security release task tree as Low priority.
May 17 2021, 4:30 PM · Release-Engineering-Team (Radar), MediaWiki-Releasing, Security-Team
sbassett changed the status of T256285: Write a script to create security release task tree from Open to Stalled.

Stalling on need to answer questions in T256285#6255281.

May 17 2021, 4:30 PM · Release-Engineering-Team (Radar), MediaWiki-Releasing, Security-Team