Security reviews/status

Last update on: 2012-06-monthly

2012-06-06
Two new vulnerabilities were reported or identified in code review; one fix was put into production. Initial audit of global Javascript and CSS across WMF sites was done in response to reports of privacy-violating javascript. Further enhancements to SVG security were completed.

2012-05-monthly
Chris Steipp has started auditing several parts of our system. Two new vulnerabilities were reported or identified in code review; one fix was put into production. Chris also completed an initial audit of global JavaScript and CSS across Wikimedia sites, in response to reports of problematic JavaScript. He finished up work on enhanced SVG security filter to strip out elements not included on a feature whitelist.

2012-06-monthly
Chris Steipp was on leave for much of June. Work continues to audit of global JavaScript and CSS across Wikimedia sites. Three security issues opened, two closed. Secure code review training given at Berlin Hackathon.