A security vulnerability has been discovered in MediaWiki setups which use MobileFrontend.
Revisions who's visibility had been alerted were showing up in parts of the mobile UI.
All projects in the Wikimedia cluster have been since patched but if you use this extension please be sure to apply the fix.
Patch file and issue are documented on https://phabricator.wikimedia.org/T133700
Note there is some follow-up work to do which is tracked in: https://phabricator.wikimedia.org/T133722
Any chance that Wikimedia Foundation can actually do proper releases of this extension, rather than sending people a link to a phabricator page that has a link to a gerrit change buried in the comments?
This seems like a pretty poor way to do a security release to third parties that may be relying on this.
On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson jrobson@wikimedia.org wrote:
A security vulnerability has been discovered in MediaWiki setups which use MobileFrontend.
Revisions who's visibility had been alerted were showing up in parts of the mobile UI.
All projects in the Wikimedia cluster have been since patched but if you use this extension please be sure to apply the fix.
Patch file and issue are documented on https://phabricator.wikimedia.org/T133700
Note there is some follow-up work to do which is tracked in: https://phabricator.wikimedia.org/T133722
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
It's not an extension that gets bundled with MediaWiki releases.
On 26 April 2016 at 19:52, Ryan Lane rlane32@gmail.com wrote:
Any chance that Wikimedia Foundation can actually do proper releases of this extension, rather than sending people a link to a phabricator page that has a link to a gerrit change buried in the comments?
This seems like a pretty poor way to do a security release to third parties that may be relying on this.
On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson jrobson@wikimedia.org wrote:
A security vulnerability has been discovered in MediaWiki setups which use MobileFrontend.
Revisions who's visibility had been alerted were showing up in parts of the mobile UI.
All projects in the Wikimedia cluster have been since patched but if you use this extension please be sure to apply the fix.
Patch file and issue are documented on https://phabricator.wikimedia.org/T133700
Note there is some follow-up work to do which is tracked in: https://phabricator.wikimedia.org/T133722
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk krenair@gmail.com wrote:
It's not an extension that gets bundled with MediaWiki releases.
That doesn't mean third parties aren't using it. When I say a release of the extension, I mean give it a version number, increase the version number, tag it in git, then tell people "ensure you are using version x or greater of MobileFrontend".
This is a pretty normal process that Wikimedia does well for other things. I have a feeling this isn't going through a normal process...
- Ryan
On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane rlane32@gmail.com wrote:
On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk krenair@gmail.com wrote:
It's not an extension that gets bundled with MediaWiki releases.
That doesn't mean third parties aren't using it. When I say a release of the extension, I mean give it a version number, increase the version number, tag it in git, then tell people "ensure you are using version x or greater of MobileFrontend".
This is a pretty normal process that Wikimedia does well for other things. I have a feeling this isn't going through a normal process...
I'm pretty sure that doing git tags in extensions for new versions is not normal procedure.
I can't recall any extension ever doing that (Unless you mean the REL1_26 type tags).
Which is not to say that I necessarily disagree with doing that procedure, I just think its unfair to call that the normal procedure, where I don't think that procedure has ever been used for extensions.
Regardless of what procedures are decided as good practice for extensions, formalizing the procedures security releases of non-bundled extensions that are maintained by WMF would probably be a good idea.
-- -bawolff
I've filed T133735 as a bug to formalize procedures for security releases of non-mediawiki bundled wmf-maintained extensions.
On Tue, Apr 26, 2016 at 3:17 PM, bawolff bawolff+wn@gmail.com wrote:
On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane rlane32@gmail.com wrote:
On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk krenair@gmail.com wrote:
It's not an extension that gets bundled with MediaWiki releases.
That doesn't mean third parties aren't using it. When I say a release of the extension, I mean give it a version number, increase the version number, tag it in git, then tell people "ensure you are using version x or greater of MobileFrontend".
This is a pretty normal process that Wikimedia does well for other things. I have a feeling this isn't going through a normal process...
I'm pretty sure that doing git tags in extensions for new versions is not normal procedure.
I can't recall any extension ever doing that (Unless you mean the REL1_26 type tags).
Which is not to say that I necessarily disagree with doing that procedure, I just think its unfair to call that the normal procedure, where I don't think that procedure has ever been used for extensions.
Regardless of what procedures are decided as good practice for extensions, formalizing the procedures security releases of non-bundled extensions that are maintained by WMF would probably be a good idea.
-- -bawolff
We did push for a new release process in MobileFrontend some time ago: https://phabricator.wikimedia.org/T104317
This wasn't popular and failed. See: http://www.gossamer-threads.com/lists/wiki/wikitech/673454?page=last
On Tue, Apr 26, 2016 at 12:17 PM, bawolff bawolff+wn@gmail.com wrote:
On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane rlane32@gmail.com wrote:
On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk krenair@gmail.com wrote:
It's not an extension that gets bundled with MediaWiki releases.
That doesn't mean third parties aren't using it. When I say a release of the extension, I mean give it a version number, increase the version number, tag it in git, then tell people "ensure you are using version x or greater of MobileFrontend".
This is a pretty normal process that Wikimedia does well for other things. I have a feeling this isn't going through a normal process...
I'm pretty sure that doing git tags in extensions for new versions is not normal procedure.
I can't recall any extension ever doing that (Unless you mean the REL1_26 type tags).
Which is not to say that I necessarily disagree with doing that procedure, I just think its unfair to call that the normal procedure, where I don't think that procedure has ever been used for extensions.
Regardless of what procedures are decided as good practice for extensions, formalizing the procedures security releases of non-bundled extensions that are maintained by WMF would probably be a good idea.
-- -bawolff
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Hey Ryan - with stuff merged into master would it make sense to just point to the MobileFrontend extension page https://www.mediawiki.org/wiki/Extension:MobileFrontend for people to get the snapshot? Or did you have something else in mind?
On Tue, Apr 26, 2016 at 1:52 PM, Ryan Lane rlane32@gmail.com wrote:
Any chance that Wikimedia Foundation can actually do proper releases of this extension, rather than sending people a link to a phabricator page that has a link to a gerrit change buried in the comments?
This seems like a pretty poor way to do a security release to third parties that may be relying on this.
On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson jrobson@wikimedia.org wrote:
A security vulnerability has been discovered in MediaWiki setups which use MobileFrontend.
Revisions who's visibility had been alerted were showing up in parts of the mobile UI.
All projects in the Wikimedia cluster have been since patched but if you use this extension please be sure to apply the fix.
Patch file and issue are documented on https://phabricator.wikimedia.org/T133700
Note there is some follow-up work to do which is tracked in: https://phabricator.wikimedia.org/T133722
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Apr 26, 2016 at 2:44 PM, Jon Robson jrobson@wikimedia.org wrote:
A security vulnerability has been discovered in MediaWiki setups which use MobileFrontend.
Revisions who's visibility had been alerted were showing up in parts of the mobile UI.
All projects in the Wikimedia cluster have been since patched but if you use this extension please be sure to apply the fix.
Patch file and issue are documented on https://phabricator.wikimedia.org/T133700
Note there is some follow-up work to do which is tracked in: https://phabricator.wikimedia.org/T133722
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
For these sorts of things, could we include the extension in the subject line? Otherwise some people might think its a general mediawiki security issue.
Thanks, -- -bawolff
wikitech-l@lists.wikimedia.org