Security reviews/status

Last update on: 2013-03-14

2012-06-06
Two new vulnerabilities were reported or identified in code review; one fix was put into production. Initial audit of global Javascript and CSS across WMF sites was done in response to reports of privacy-violating javascript. Further enhancements to SVG security were completed.

2012-05-monthly
Chris Steipp has started auditing several parts of our system. Two new vulnerabilities were reported or identified in code review; one fix was put into production. Chris also completed an initial audit of global JavaScript and CSS across Wikimedia sites, in response to reports of problematic JavaScript. He finished up work on enhanced SVG security filter to strip out elements not included on a feature whitelist.

2012-06-monthly
Chris Steipp was on leave for much of June. Work continues to audit of global JavaScript and CSS across Wikimedia sites. Three security issues opened, two closed. Secure code review training given at Berlin Hackathon.

2012-07-27
Some audit work has resumed, and more bugfixing is needed in this area. Chris has reviewed Timed Media Handler, Signup API, and is working on a review of Wiki Loves Monuments.

2012-07-monthly
Some audit work has resumed, and more bugfixing is needed in this area. Chris has reviewed Timed Media Handler, Signup API, and is working on a review of Wiki Loves Monuments.

2012-08-monthly
Improved filtering in uselang with MediaWiki 1.20/wmf8 fixed several DOM-based XSS vulnerabilities in different gadgets. Chris Steipp fixed 4 security issues in core, and released MediaWiki 1.19.2 and 1.18.5 to include them.

2012-09-monthly
The team continues to respond to reported vulnerabilities. Chris Steipp led secure code training at WMF tech days for WMF staff. Chris also performed a review pass on the Wikidata extensions.

2012-10-monthly
The team continued to respond to and fix reported vulnerabilities. They worked on improving the release process for security updates to supported versions of MediaWiki, and provided significant security reviews of extensions for Wikivoyage and Wikidata.

2012-11-monthly
<section begin="2012-11-monthly"/>The team continued to respond to several reported vulnerabilities, and released new versions of all supported MediaWiki branches (1.20.1, 1.19.3, 1.18.6) to address vulnerabilities in core. Significant security reviews continued for Wikidata and Wikivoyage extensions.<section end="2012-11-monthly"/>

2012-12-monthly
<section begin="2012-12-monthly"/>The team continued to respond to several reported vulnerabilities. A follow-up security review for Wikidata phase 2/3 was done.<section end="2012-12-monthly"/>

2013-01-monthly
<section begin="2013-01-monthly"/>The team continued to respond to reported vulnerabilities, began a security review of fundraising extensions, and continued reviews of Wikidata features.<section end="2013-01-monthly"/>

2013-02-monthly
<section begin="2013-02-monthly"/>Continued responses to reported vulnerabilities. Preparation for security releases for 1.19 and 1.20 branches of MediaWiki. Continued review of Fundraising.<section end="2013-02-monthly"/>

2013-03-14
<section begin="2013-03-14"/>Fundraising code base review is done. MediaWIki 1.20.3 security release was published on March 4.<section end="2013-03-14"/>