Security auditing and response/status

Last update on: 2014-12-monthly

2013-03-monthly
The fundraising code base review is done. A MediaWiki security release, 1.20.3, was published on March 4. A review is underway for user metrics API.

2013-04-monthly
We released the MediaWiki 1.19.5 and 1.20.4 security releases on April 15th.

2013-05-monthly
We released MediaWiki 1.20.6/1.19.7 and provided security training for developers at the Amsterdam Hackathon.

2013-06-monthly
The team continued to respond to reported security issues, and gave security-oriented tech talks on emerging DoS techniques and using OWASP's ZAP tool for vulnerability scanning.

2013-07-monthly
The team continued to respond to reported security issues, and addressing outstanding bugs.

2013-08-monthly
The team responded to reported issues, and prepared for the next MediaWiki release, scheduled on September 3. We worked with Operations to enable HTTPS for user logins in most geographies.

2013-09-monthly
The team responded to reported issues, and released MediaWiki 1.21.2, 1.20.7 and 1.19.8 security releases to fix several issues in core and extensions.

2013-10-monthly
We responded to several issues reported in core and extensions. An emergency password reset was put into place to address a private data security issue.

2013-11-monthly
<section begin="2013-11-monthly"/>We released a security update to MediaWiki to fix a number of issues in core and extensions. Security reviews of Limn, GWTools and Flow extensions are in progress.<section end="2013-11-monthly"/>

2013-12-monthly
<section begin="2013-12-monthly"/>We continued to respond to reported security issues, and completed security reviews of Flow, the Wikimania Scholarships app, and the GLAM Wiki Toolset.<section end="2013-12-monthly"/>

2014-01-monthly
<section begin="2014-01-monthly"/>We announced the MediaWiki 1.22.1 and 1.22.2 security releases, and continued to respond to reported vulnerabilities.<section end="2014-01-monthly"/>

2014-02-monthly
<section begin="2014-02-monthly"/>MediaWiki 1.22.3, 1.21.6, and 1.19.12 security updates were released. We started a review of the Hadoop infrastructure and the Popups extension.<section end="2014-02-monthly"/>

2014-03-monthly
<section begin="2014-03-monthly"/>MediaWiki 1.19.13, 1.22.5, 1.21.8 and 1.19.14 were released for security issues. An internal security training session was held for Wikimedia Foundation staff.<section end="2014-03-monthly"/>

2014-04-monthly
<section begin="2014-04-monthly"/>We helped with the operational response to the Heartbleed vulnerability. Significant work was done on identifying and testing static analysis tools to integrate into the release workflow. We finished reviewing varnishkafka for Analytics, and Compact Personal Bar for UX. MediaWiki releases 1.21.9 and 1.22.6 fixed one security issue.<section end="2014-04-monthly"/>

2014-05-monthly
<section begin="2014-05-monthly"/>MediaWiki (1.22.7) was released to fix an XSS vulnerability. A separate DOM XSS issue was fixed in MobileFrontend. We also finished a review of Hadoop's Camus.<section end="2014-05-monthly"/>

2014-06-monthly
<section begin="2014-06-monthly"/>We released MediaWiki 1.23.1 to prevent multiple issues caused by loading external SVG resources. We also performed security reviews of the Wikidata property suggester, Extension:Mantle for mobile/Flow, and Flow's templating rewrite.<section end="2014-06-monthly"/>

2014-07-monthly
<section begin="2014-07-monthly"/>MediaWiki 1.23.2 was released, fixing 3 security bugs. Security reviews were made for BounceHandler and Petition extensions, and the password API was merged.<section end="2014-07-monthly"/>

2014-08-monthly
We completed s<section begin="2014-08-monthly"/>ecurity reviews of the Graph, WikibaseQuery and WikibaseQueryEngine extensions. Initial work was done to enable regular dynamic security scanning.<section end="2014-08-monthly"/>

2014-09-monthly
<section begin="2014-09-monthly"/>We published the 1.23.4 security release, and completed review for the Graph and Imagemetrics extensions.<section end="2014-09-monthly"/>

2014-10-monthly
<section begin="2014-10-monthly"/>We completed security reviews for WikiGrok, Labeled Section Transclusion headers, the IEG grant-review application, and RecentActivityFeed. We also released security updates for CentralAuth and MobileFrontend.<section end="2014-10-monthly"/>

2014-11-monthly
<section begin="2014-11-monthly"/>Four security issues fixed in the 1.23.7 release. Security reviews of OOjs UI (PHP Implementation), SandboxLink extension, GlobalUserPage, and Phabricator Sprint.<section end="2014-11-monthly"/>

2014-12-monthly
<section begin="2014-12-monthly"/>MediaWiki 1.24.1 was released, fixing issues in core and several extensions. Reviews for kafkatee and plancake email parser were finished. During December, the WMF also participated in a security assessment of MediaWiki by iSec Partners, sponsored by the Open Technology Fund. The results will be made public in February.<section end="2014-12-monthly"/>