Security reviews/status

From mediawiki.org

Last update on: 2013-03-14

2012-06-06[edit]

Two new vulnerabilities were reported or identified in code review; one fix was put into production. Initial audit of global Javascript and CSS across WMF sites was done in response to reports of privacy-violating javascript. Further enhancements to SVG security were completed.


2012-05-monthly[edit]

Chris Steipp has started auditing several parts of our system. Two new vulnerabilities were reported or identified in code review; one fix was put into production. Chris also completed an initial audit of global JavaScript and CSS across Wikimedia sites, in response to reports of problematic JavaScript. He finished up work on enhanced SVG security filter to strip out elements not included on a feature whitelist.

2012-06-monthly[edit]

Chris Steipp was on leave for much of June. Work continues to audit of global JavaScript and CSS across Wikimedia sites. Three security issues opened, two closed. Secure code review training given at Berlin Hackathon.

2012-07-27[edit]

Some audit work has resumed, and more bugfixing is needed in this area. Chris has reviewed Timed Media Handler, Signup API, and is working on a review of Wiki Loves Monuments.

2012-07-monthly[edit]

Some audit work has resumed, and more bugfixing is needed in this area. Chris has reviewed Timed Media Handler, Signup API, and is working on a review of Wiki Loves Monuments.

2012-08-monthly[edit]

Improved filtering in uselang with MediaWiki 1.20/wmf8 fixed several DOM-based XSS vulnerabilities in different gadgets. Chris Steipp fixed 4 security issues in core, and released MediaWiki 1.19.2 and 1.18.5 to include them.

2012-09-monthly[edit]

The team continues to respond to reported vulnerabilities. Chris Steipp led secure code training at WMF tech days for WMF staff. Chris also performed a review pass on the Wikidata extensions.

2012-10-monthly[edit]

The team continued to respond to and fix reported vulnerabilities. They worked on improving the release process for security updates to supported versions of MediaWiki, and provided significant security reviews of extensions for Wikivoyage and Wikidata.

2012-11-monthly[edit]

The team continued to respond to several reported vulnerabilities, and released new versions of all supported MediaWiki branches (1.20.1, 1.19.3, 1.18.6) to address vulnerabilities in core. Significant security reviews continued for Wikidata and Wikivoyage extensions.

2012-12-monthly[edit]

The team continued to respond to several reported vulnerabilities. A follow-up security review for Wikidata phase 2/3 was done.

2013-01-monthly[edit]

The team continued to respond to reported vulnerabilities, began a security review of fundraising extensions, and continued reviews of Wikidata features.

2013-02-monthly[edit]

Continued responses to reported vulnerabilities. Preparation for security releases for 1.19 and 1.20 branches of MediaWiki. Continued review of Fundraising.

2013-03-14[edit]

Fundraising code base review is done. MediaWIki 1.20.3 security release was published on March 4.