[MediaWiki-l] Security warning for SimpleSecurity extension.

Eduardo Elias Camponez camponez at eduardoelias.com
Wed Jul 19 07:12:56 UTC 2017

On 19/07/2017 04:45, Brian Wolff wrote:
> Hello Everyone.
> This is an advisory that the SimpleSecurity extension has unfixed
> security issues, and that people relying on it should consider moving
> to a different solution.
> The extension does not take caching into consideration, and is not
> secure when $wgMainCacheType is something other than CACHE_NONE. We
> received a bug report about this quite a long time ago, however it
> appears nobody is maintaining the extension, and we were unable to
> find anyone to forward the report to who was interested in fixing
> the issue. So instead we are making the issue public and issuing
> this warning about it.
> The issue in question is https://phabricator.wikimedia.org/T48843
> The extension in question is
> https://www.mediawiki.org/wiki/Extension:SimpleSecurity
> Sincerely,
> Brian Wolff
> Wikimedia Security Team
> P.S. This is the first time I've ever written a warning like this
> for an extension. In the past, we've just put security alerts on
> the extension page or sometimes just ignored them (which I consider bad).
> I would like feedback from mediawiki-l if people on this list appreciate
> getting a notice like this, or if you folks consider it off topic.
> Any other feedback about how we handle security issues reported to
> us for extensions we do not make or maintain is also appreciated.

I would appreciate getting this kind of notice. I never go back to the extension's page, 
the notice there would help me only the first time, when I'm about to installed it.

Thank you!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20170719/5643263a/attachment.sig>

More information about the MediaWiki-l mailing list