[Wikitech-l] Swag program for technical contributors

2022-04-07 Thread Srishti Sethi 
Hello everyone,

We want to let you know about a new swag program for technical contributors
that the Wikimedia Foundation's Technical Engagement <
https://www.mediawiki.org/wiki/Wikimedia_Technical_Engagement> [1] team has
developed in collaboration with the Fundraising Operations <
https://meta.wikimedia.org/wiki/Fundraising> [2] team. This program will
reward technical contributors for their active participation in outreach
programs, events, and software projects by giving swag.

This is a small token of appreciation for the countless efforts of our
technical contributors!

In the first year of its operation, the swag program considers 85
individuals with significant contributions as developers, mentors, and
organizers in 2021 for each of the following areas.

   - Google Summer of Code & Outreachy
   - Small wiki toolkits
   - Gerrit code contributions
   - Wikimedia & Wikimania Hackathon

To learn more about each of these areas and the overall program, visit <
https://www.mediawiki.org/wiki/Wikimedia_tech_swag_program> [3]. If you
have any feedback or questions, or have suggestions around which areas to
cover, please share on the talk page.

Best,
Srishti

On behalf of Technical Engagement team

[1] https://www.mediawiki.org/wiki/Wikimedia_Technical_Engagement

[2] https://meta.wikimedia.org/wiki/Fundraising

[3] https://www.mediawiki.org/wiki/Wikimedia_tech_swag_program

*Srishti Sethi*
Senior Developer Advocate
Wikimedia Foundation 
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

[Wikitech-l] Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.6/1.36.4/1.37.2)

2022-04-07 Thread Maryum Styles 
Greetings-

With the security/maintenance release of MediaWiki 1.35.6/1.36.4/1.37.2
[0], we would also like to provide this supplementary announcement of
MediaWiki extensions and skins with now-public Phabricator tasks, security
patches and backports [1]:

== Echo ==
+ (T285116, CVE-2022-28324) - Echo does not set X-Forwarded-For for
internal API requests, some of which get logged to CU
https://gerrit.wikimedia.org/r/q/I0551fe64042676f8a2b35afb82a3b4e9c09ea673

== GrowthExperiments ==
+ (T298019, CVE-2022-28326) - i18n XSS in GrowthExperiments suggested edits
pager
https://gerrit.wikimedia.org/r/q/Iadc224a038ef0cec072cc1d6b84277355648f9f9

== MobileFrontend ==
+ (T298581, CVE-2022-28325) - Mobile version of Special:Contributions leaks
existence of globally suppressed users
https://gerrit.wikimedia.org/r/q/I4dbb315226af267d43154d1a5a5c4635d68d1038

== SecurePoll ==
+ (T298434, CVE-2022-28323) - SecurePoll leaks voter's exact vote timestamp
https://gerrit.wikimedia.org/r/q/I4dbb315226af267d43154d1a5a5c4635d68d1038

== FileImporter ==
+ (T294256, CVE-2022-28206) - FileImporter allows imports to cascade
protected files when the importer does not have administrator permissions
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FileImporter/+/757022

== GrowthExperiments ==
+ (T298312, CVE-2022-28207) - Special:Impact leaks suppressed usernames
https://gerrit.wikimedia.org/r/q/mediawiki/extensions/GrowthExperiments/+/775927/

== CentralAuth ==
+ (T302248, CVE-2022-28205) - CentralAuth expiring global groups do not
expire
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/765336
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/765335

== Wikibase ==
+ (T302215, CVE-2022-28208) - HTML injection / XSS from i18n message in
WikibaseClient edit hook
https://gerrit.wikimedia.org/r/q/Ife8620d65577e53b03ef4674f54d1684e2f5a773

== JsonConfig ==
+ (T302192, CVE-2021-28210) - Data fields in Commons tabular datasets allow
running arbitrary JS
https://gerrit.wikimedia.org/r/q/Ifa2f6ec9ccce3b781e83a9905392e70d6a7340ad

== TimedMediaHandler ==
+ (T160800, CVE-2022-28211) - TimedMediaHandler doesn't prevent blocked
users from restarting transcodes
https://gerrit.wikimedia.org/r/q/I285c7c189af350be22f5de7b1c6757ad7479a20c

== AntiSpoof ==
+ (T304126, CVE-2022-28209) - One of the checks for 'override-antispoof'
permission is inverted
https://gerrit.wikimedia.org/r/q/Id8c4e2e336695ce70ccdf8a51ad729bf4a99f8f7

== FlaggedRevs ==
+ (T304354, CVE-2022-28212) - It is impossible to oversight who has
reviewed a revision via FlaggedRevs
https://gerrit.wikimedia.org/r/q/I563bc73829d3a7c6349d364287ba42df78f3c91a

== CentralAuth ==
+ (T226212, CVE-2022-28322) - Global rename log shows timestamp of
suppressed action
https://gerrit.wikimedia.org/r/q/Ica7fedf10a4a8cca3d4b811ff05bfd5553753603

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact secur...@wikimedia.org
or file a security task within Phabricator [3].

[0] https://w.wiki/52Am
[1] https://phabricator.wikimedia.org/T297839
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

[Wikitech-l] Re: Gerrit & CI maintenance April 7th at 7:00 UTC

2022-04-07 Thread Antoine Musso 



Le 06/04/2022 à 17:40, Antoine Musso a écrit :

Hello,

I will restart the Gerrit and CI services tomorrow Thursday April 7th at 
7:00 UTC.  The services will be unavailable for up to half an hour while 
the maintenance is being conducted.


I have shifted the morning UTC backport and config window by half an 
hour. The MediaWiki train for 1.39.0-wmf.36 scheduled for 8:00 UTC might 
be delayed a bit depending on how many config and backports we have to 
process.


Synchronization will be on Libera.chat IRC channel #wikimedia-operations


Hello,

I have successfully restarted Gerrit and CI services.

Antoine "hashar" Musso
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/