Re: [Wikitech-l] Security patch

2016-04-26 Thread Jon Robson 
We did push for a new release process in MobileFrontend some time ago:
https://phabricator.wikimedia.org/T104317

This wasn't popular and failed. See:
http://www.gossamer-threads.com/lists/wiki/wikitech/673454?page=last


On Tue, Apr 26, 2016 at 12:17 PM, bawolff  wrote:
> On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane  wrote:
>> On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk  wrote:
>>
>>> It's not an extension that gets bundled with MediaWiki releases.
>>>
>>>
>> That doesn't mean third parties aren't using it. When I say a release of
>> the extension, I mean give it a version number, increase the version
>> number, tag it in git, then tell people "ensure you are using version x or
>> greater of MobileFrontend".
>>
>> This is a pretty normal process that Wikimedia does well for other things.
>> I have a feeling this isn't going through a normal process...
>>
>
> I'm pretty sure that doing git tags in extensions for new versions is
> not normal procedure.
>
> I can't recall any extension ever doing that (Unless you mean the
> REL1_26 type tags).
>
> Which is not to say that I necessarily disagree with doing that
> procedure, I just think its unfair to call that the normal procedure,
> where I don't think that procedure has ever been used for extensions.
>
> Regardless of what procedures are decided as good practice for
> extensions, formalizing the procedures security releases of
> non-bundled extensions that are maintained by WMF would probably be a
> good idea.
>
> --
> -bawolff
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Security patch

2016-04-26 Thread bawolff 
I've filed T133735 as a bug to formalize procedures for security
releases of non-mediawiki bundled wmf-maintained extensions.

On Tue, Apr 26, 2016 at 3:17 PM, bawolff  wrote:
> On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane  wrote:
>> On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk  wrote:
>>
>>> It's not an extension that gets bundled with MediaWiki releases.
>>>
>>>
>> That doesn't mean third parties aren't using it. When I say a release of
>> the extension, I mean give it a version number, increase the version
>> number, tag it in git, then tell people "ensure you are using version x or
>> greater of MobileFrontend".
>>
>> This is a pretty normal process that Wikimedia does well for other things.
>> I have a feeling this isn't going through a normal process...
>>
>
> I'm pretty sure that doing git tags in extensions for new versions is
> not normal procedure.
>
> I can't recall any extension ever doing that (Unless you mean the
> REL1_26 type tags).
>
> Which is not to say that I necessarily disagree with doing that
> procedure, I just think its unfair to call that the normal procedure,
> where I don't think that procedure has ever been used for extensions.
>
> Regardless of what procedures are decided as good practice for
> extensions, formalizing the procedures security releases of
> non-bundled extensions that are maintained by WMF would probably be a
> good idea.
>
> --
> -bawolff

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Security patch

2016-04-26 Thread bawolff 
On Tue, Apr 26, 2016 at 3:08 PM, Ryan Lane  wrote:
> On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk  wrote:
>
>> It's not an extension that gets bundled with MediaWiki releases.
>>
>>
> That doesn't mean third parties aren't using it. When I say a release of
> the extension, I mean give it a version number, increase the version
> number, tag it in git, then tell people "ensure you are using version x or
> greater of MobileFrontend".
>
> This is a pretty normal process that Wikimedia does well for other things.
> I have a feeling this isn't going through a normal process...
>

I'm pretty sure that doing git tags in extensions for new versions is
not normal procedure.

I can't recall any extension ever doing that (Unless you mean the
REL1_26 type tags).

Which is not to say that I necessarily disagree with doing that
procedure, I just think its unfair to call that the normal procedure,
where I don't think that procedure has ever been used for extensions.

Regardless of what procedures are decided as good practice for
extensions, formalizing the procedures security releases of
non-bundled extensions that are maintained by WMF would probably be a
good idea.

--
-bawolff

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Security patch

2016-04-26 Thread Adam Baso 
Hey Ryan - with stuff merged into master would it make sense to just point
to the MobileFrontend extension page
 for people to get
the snapshot? Or did you have something else in mind?

On Tue, Apr 26, 2016 at 1:52 PM, Ryan Lane  wrote:

> Any chance that Wikimedia Foundation can actually do proper releases of
> this extension, rather than sending people a link to a phabricator page
> that has a link to a gerrit change buried in the comments?
>
> This seems like a pretty poor way to do a security release to third parties
> that may be relying on this.
>
> On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson 
> wrote:
>
> > A security vulnerability has been discovered in MediaWiki setups which
> > use MobileFrontend.
> >
> > Revisions who's visibility had been alerted were showing up in parts
> > of the mobile UI.
> >
> > All projects in the Wikimedia cluster have been since patched but if
> > you use this extension please be sure to apply the fix.
> >
> > Patch file and issue are documented on
> > https://phabricator.wikimedia.org/T133700
> >
> > Note there is some follow-up work to do which is tracked in:
> > https://phabricator.wikimedia.org/T133722
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Security patch

2016-04-26 Thread Ryan Lane 
On Tue, Apr 26, 2016 at 12:01 PM, Alex Monk  wrote:

> It's not an extension that gets bundled with MediaWiki releases.
>
>
That doesn't mean third parties aren't using it. When I say a release of
the extension, I mean give it a version number, increase the version
number, tag it in git, then tell people "ensure you are using version x or
greater of MobileFrontend".

This is a pretty normal process that Wikimedia does well for other things.
I have a feeling this isn't going through a normal process...

- Ryan
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Security patch

2016-04-26 Thread Alex Monk 
It's not an extension that gets bundled with MediaWiki releases.

On 26 April 2016 at 19:52, Ryan Lane  wrote:

> Any chance that Wikimedia Foundation can actually do proper releases of
> this extension, rather than sending people a link to a phabricator page
> that has a link to a gerrit change buried in the comments?
>
> This seems like a pretty poor way to do a security release to third parties
> that may be relying on this.
>
> On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson 
> wrote:
>
> > A security vulnerability has been discovered in MediaWiki setups which
> > use MobileFrontend.
> >
> > Revisions who's visibility had been alerted were showing up in parts
> > of the mobile UI.
> >
> > All projects in the Wikimedia cluster have been since patched but if
> > you use this extension please be sure to apply the fix.
> >
> > Patch file and issue are documented on
> > https://phabricator.wikimedia.org/T133700
> >
> > Note there is some follow-up work to do which is tracked in:
> > https://phabricator.wikimedia.org/T133722
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Security patch

2016-04-26 Thread Ryan Lane 
Any chance that Wikimedia Foundation can actually do proper releases of
this extension, rather than sending people a link to a phabricator page
that has a link to a gerrit change buried in the comments?

This seems like a pretty poor way to do a security release to third parties
that may be relying on this.

On Tue, Apr 26, 2016 at 11:44 AM, Jon Robson  wrote:

> A security vulnerability has been discovered in MediaWiki setups which
> use MobileFrontend.
>
> Revisions who's visibility had been alerted were showing up in parts
> of the mobile UI.
>
> All projects in the Wikimedia cluster have been since patched but if
> you use this extension please be sure to apply the fix.
>
> Patch file and issue are documented on
> https://phabricator.wikimedia.org/T133700
>
> Note there is some follow-up work to do which is tracked in:
> https://phabricator.wikimedia.org/T133722
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Security patch

2016-04-26 Thread bawolff 
On Tue, Apr 26, 2016 at 2:44 PM, Jon Robson  wrote:
> A security vulnerability has been discovered in MediaWiki setups which
> use MobileFrontend.
>
> Revisions who's visibility had been alerted were showing up in parts
> of the mobile UI.
>
> All projects in the Wikimedia cluster have been since patched but if
> you use this extension please be sure to apply the fix.
>
> Patch file and issue are documented on 
> https://phabricator.wikimedia.org/T133700
>
> Note there is some follow-up work to do which is tracked in:
> https://phabricator.wikimedia.org/T133722
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

For these sorts of things, could we include the extension in the
subject line? Otherwise some people might think its a general
mediawiki security issue.

Thanks,
--
-bawolff

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Security patch

2016-04-26 Thread Jon Robson 
A security vulnerability has been discovered in MediaWiki setups which
use MobileFrontend.

Revisions who's visibility had been alerted were showing up in parts
of the mobile UI.

All projects in the Wikimedia cluster have been since patched but if
you use this extension please be sure to apply the fix.

Patch file and issue are documented on https://phabricator.wikimedia.org/T133700

Note there is some follow-up work to do which is tracked in:
https://phabricator.wikimedia.org/T133722

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Security patch for Flow merged

2015-11-17 Thread Matthew Flaschen 



On 11/17/2015 05:12 PM, Matthew Flaschen wrote:

Nick Wilson discovered a security issue that affects Flow when used with
caching proxies such as Varnish:
https://phabricator.wikimedia.org/T116095 (this task will be opened soon).

In such a setup, topics in cache would remain accessible after the board
was deleted.

We have deployed the fix to the cluster and merged it to the Flow
repository.


Sorry, I didn't link the fix.  It's 
https://gerrit.wikimedia.org/r/#/c/253760/ .


Thanks,

Matt Flaschen

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Security patch for Flow merged

2015-11-17 Thread Matthew Flaschen 
Nick Wilson discovered a security issue that affects Flow when used with 
caching proxies such as Varnish: 
https://phabricator.wikimedia.org/T116095 (this task will be opened soon).


In such a setup, topics in cache would remain accessible after the board 
was deleted.


We have deployed the fix to the cluster and merged it to the Flow 
repository.


Let us know if you are using REL1_24 or REL1_25 of Flow and this issue 
affects you.


Thanks,

Matt Flaschen

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l