Security reviews/status

Last update on: 2012-09-monthly

2012-06-06
Two new vulnerabilities were reported or identified in code review; one fix was put into production. Initial audit of global Javascript and CSS across WMF sites was done in response to reports of privacy-violating javascript. Further enhancements to SVG security were completed.

2012-05-monthly
Chris Steipp has started auditing several parts of our system. Two new vulnerabilities were reported or identified in code review; one fix was put into production. Chris also completed an initial audit of global JavaScript and CSS across Wikimedia sites, in response to reports of problematic JavaScript. He finished up work on enhanced SVG security filter to strip out elements not included on a feature whitelist.

2012-06-monthly
Chris Steipp was on leave for much of June. Work continues to audit of global JavaScript and CSS across Wikimedia sites. Three security issues opened, two closed. Secure code review training given at Berlin Hackathon.

2012-07-27
Some audit work has resumed, and more bugfixing is needed in this area. Chris has reviewed Timed Media Handler, Signup API, and is working on a review of Wiki Loves Monuments.

2012-07-monthly
Some audit work has resumed, and more bugfixing is needed in this area. Chris has reviewed Timed Media Handler, Signup API, and is working on a review of Wiki Loves Monuments.

2012-08-monthly
Improved filtering in uselang with MediaWiki 1.20/wmf8 fixed several DOM-based XSS vulnerabilities in different gadgets. Chris Steipp fixed 4 security issues in core, and released MediaWiki 1.19.2 and 1.18.5 to include them.

2012-09-monthly
The team continues to respond to reported vulnerabilities. Chris Steipp led secure code training at WMF tech days for WMF staff. Chris also performed a review pass on the Wikidata extensions.