[Wikitech-l] [MediaWiki-announce] OAuth security update

[Gergő Tisza]

Hi all,

a minor security bug [1] has been fixed in the OAuth extension:
* a connected application could use the /identify endpoint to learn the
username of a user even if the application has been disabled.
* a connected application could use the /identify endpoint to learn the
username of a user even if the user was locked or blocked from login (this
could be problematic when OAuth is used for authentication, such as with
the OAuthAuthentication [2] extension).
The fix has been backported to all supported versions (those for MediaWiki
1.23, 1.26 and 1.27).


Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)


[1] https://phabricator.wikimedia.org/T148600
[2] https://www.mediawiki.org/wiki/Extension:OAuthAuthentication
___
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] [MediaWiki-announce] OAuth security update #2

[Gergo Tisza]

The recent OAuth security fix [1] had a bug [2] which caused some
legitimate OAuth requests to be rejected. The affected versions have been
updated to work properly. Apologies for the disruption.

Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)


[1]
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-October/000197.html
[2] https://phabricator.wikimedia.org/T149194
___
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l