On 19/07/2017 04:45, Brian Wolff wrote:
Hello Everyone.
This is an advisory that the SimpleSecurity extension has unfixed
security issues, and that people relying on it should consider moving
to a different solution.
The extension does not take caching into consideration, and is not
secure when $wgMainCacheType is something other than CACHE_NONE. We
received a bug report about this quite a long time ago, however it
appears nobody is maintaining the extension, and we were unable to
find anyone to forward the report to who was interested in fixing
the issue. So instead we are making the issue public and issuing
this warning about it.
The issue in question is
https://phabricator.wikimedia.org/T48843
The extension in question is
https://www.mediawiki.org/wiki/Extension:SimpleSecurity
Sincerely,
Brian Wolff
Wikimedia Security Team
P.S. This is the first time I've ever written a warning like this
for an extension. In the past, we've just put security alerts on
the extension page or sometimes just ignored them (which I consider bad).
I would like feedback from mediawiki-l if people on this list appreciate
getting a notice like this, or if you folks consider it off topic.
Any other feedback about how we handle security issues reported to
us for extensions we do not make or maintain is also appreciated.
I would appreciate getting this kind of notice. I never go back to the extension's
page,
the notice there would help me only the first time, when I'm about to installed it.
Thank you!
Eduardo