[MediaWiki-l] Security warning for SimpleSecurity extension.
bwolff at wikimedia.org
Wed Jul 19 03:45:27 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
This is an advisory that the SimpleSecurity extension has unfixed
security issues, and that people relying on it should consider moving
to a different solution.
The extension does not take caching into consideration, and is not
secure when $wgMainCacheType is something other than CACHE_NONE. We
received a bug report about this quite a long time ago, however it
appears nobody is maintaining the extension, and we were unable to
find anyone to forward the report to who was interested in fixing
the issue. So instead we are making the issue public and issuing
this warning about it.
The issue in question is https://phabricator.wikimedia.org/T48843
The extension in question is
Wikimedia Security Team
P.S. This is the first time I've ever written a warning like this
for an extension. In the past, we've just put security alerts on
the extension page or sometimes just ignored them (which I consider bad).
I would like feedback from mediawiki-l if people on this list appreciate
getting a notice like this, or if you folks consider it off topic.
Any other feedback about how we handle security issues reported to
us for extensions we do not make or maintain is also appreciated.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the MediaWiki-l