Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.
User Details
- User Since
- Sep 12 2018, 3:52 PM (304 w, 1 d)
- Roles
- Administrator
- Availability
- Available
- IRC Nick
- sbassett
- LDAP User
- SBassett
- MediaWiki User
- SBassett (WMF) [ Global Accounts ]
Wed, Jul 3
Tue, Jul 2
Mon, Jul 1
Fri, Jun 28
Write-up of some of this quarter's work is here: T335892#9936225
Hey all -
I've gone ahead and made T366554 public as, at worst, I think it's a low-risk issue.
Thu, Jun 27
Wed, Jun 26
Tue, Jun 25
Mon, Jun 24
Example of a template keeping track of cumulative bash error codes: https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/blob/7102fe1332c371f52d5e0800701d60a81a7e104c/php-security-checker/php-security-checker-ci.yml#L24-L70
@Chocapikk1337 - you've now been added to our hall of fame: https://security.wikimedia.org/hall-of-fame/
Stalled on completion date. If that's not proper, we can set the status to something else. The Security-Team also has a calendar invite set for this next year.
Fri, Jun 21
Thu, Jun 20
Mon, Jun 17
Security Review Summary - T360070 - 2024-06-17
Last commit reviewed: be78eb0148
For active, I was just meaning "not archived", per gerrit's definition.
Fri, Jun 14
Quick update on this: I plan to post the review next Monday or Tuesday. I haven't really found anything concerning at all.
Ok, if we can keep it simple but all-encompassing, then I'd probably go with something like: "Any active code repository hosted under gerrit.wikimedia.org, gitlab.wikimedia.org or github.com/wikimedia that is not a fork of an upstream project or otherwise unmaintained by the WMF or Wikimedia Community".
At the very least I think we'd also want to include MediaWiki skins (as opposed to just extensions) since WMF folks are largely the maintainers of Vector et al. Personally, I think we'd also want to include things like the various Wikimedia microservices that support some production-deployed MediaWiki extensions, etc. as we are pretty much the sole maintainers of those. Beyond that, we do write a lot of additional, proprietary Wikimedia code (SRE, Data Engineering, etc.) but we've never traditionally requested many CVEs for many of those codebases, so maybe we aren't worried about those as much. I'd also prefer to at least have the ability to issue CVEs for non-Wikimedia-deployed extensions and skins, as many of those comprise the quarterly supplemental security releases that we still manage.
Thu, Jun 13
Wed, Jun 12
Ok, let's call this resolved then, as Wikimedia wikis are unaffected. I guess the only thing we'd need to worry about is if mathoid-mathjax ever updates the version of mathjax from which they are forked (assuming this only affects mathjax v3) and texvcjs ever becomes more lax in the commands/functions it allows.
Interesting - they were added to WMF-NDA, but none of the acl*security groups. I've gone ahead and added them to acl*security_management, so they should be able to see all current security issues tracked in Phab (some of these are public if they're low-risk, etc.)
Any concerns, @Marostegui? If not, happy to make these tasks public now.
So CVE-2023-39663 looks like it refers to two regular expression DoS vectors. It looks like this issue might be tracked within these two issues:
- https://github.com/mathjax/MathJax/issues/3129 (original)
- https://github.com/mathjax/MathJax/issues/3241 (duplicate)
There is a work-around posted under the first issue (safe mode) but I'm not seeing a CVE. A commenter also noted that this issue is fixed within v4, but that version is still in beta. So we might want to explore the safe mode config for v3, if we don't currently have that enabled.
I received approval from WMF-Legal to make this public and for @Chocapikk1337 to write a public blog post (or whatever) about this issue. Also, @Chocapikk1337, let us know if you'd like to be added to the Wikimedia security hall of fame.
Jun 10 2024
Looks like @Reedy and @tstarling answered your questions, @MarkAHershberger? Did you need anything else right now or can we resolve this?