User Details
- User Since
- Nov 18 2019, 7:30 PM (253 w, 5 d)
- Availability
- Available
- LDAP User
- Mstyles
- MediaWiki User
- MStyles (WMF) [ Global Accounts ]
Fri, Sep 27
Testing has been scheduled and there will be a kickoff meeting the week before for any questions
Testing has been scheduled and there will be a kickoff meeting the week before for any questions
Tue, Sep 24
confirmed with comms that we are not doing the press release
Wed, Sep 18
Mon, Sep 16
Confirmed by MITRE
Wed, Sep 11
There's no security review required for Jest at this time as long as it remains a developer dependency. We would like to ensure that the version stays up to date and if there are any critical vulnerabilities found, that you reach out to the security team.
Tue, Sep 3
@Reedy I'll store it in that. I thought there was a shared LastPass for some reason
Sat, Aug 31
Fri, Aug 30
Aug 28 2024
Aug 27 2024
@sbassett the security landing page has been updated. Only thing left is to remove Hal from the email list, which I will need you to do since I don't have permission.
I talked to ITS. They have removed Hal from the Security drive. They are going to merge his current accounts into his contractor accounts after they are provisioned via our Onboarding workflow. If we have any concerns we can let them know. I think that should be fine.
Aug 26 2024
I reached out to confirm with ITS, will report back on that. I don't have access to the security-team email list, so I can't remove Hal.
@Aklapper perhaps they never had security access to begin with?
Hey! I'm from the security team and I didn't see either of these folks in acl*security or acl*security_wmde. Perhaps they've already been removed by someone else?
Aug 19 2024
@Aklapper are you okay to resolve this ticket?
Aug 15 2024
No, we still have to do an onboarding and actually become a CNA partner. Unless you think that should be a separate ticket?
Aug 13 2024
@BlankEclair thank you for reporting. I'll follow up with further information soon
Met with Mitre and the finalized scope is:
Jul 22 2024
@Aklapper since the gerrit patch is public this ticket is okay to be public as well. I went ahead and changed the policy
Jul 19 2024
@sbassett once it's scheduled you'll receive an invite
Jul 18 2024
This scope still did not pass inspection by Mitre, so we are having a meeting next week to discuss more in detail. Anyone who is interested in coming to the meeting let me know.
Jul 17 2024
@sbassett is out this week, so I will set up a meeting next week so we can discuss the beta deployment
Jul 15 2024
This patch looks good but I would like someone familiar with this extension to review it as well.
Jun 17 2024
Great, I think this is the final scope: "Any code repository hosted under gerrit.wikimedia.org, gitlab.wikimedia.org or github.com/wikimedia that is not archived or a fork of an upstream project or otherwise unmaintained by the WMF or Wikimedia Community"
Jun 14 2024
I like that, but I do think that we might either have to remove active or define what that means. Do we mean active in the last 6 months? Last year?
There needs to be clarity on what projects we will manage or not. Originally when we started this project we did say Mediawiki core, skins, and extensions, but if you want to open it up that's fine with me. I'm fine to say vulnerabilities in software maintained by the Wikimedia Foundation or something like that.
It can't be a minimal list, it needs to be an exact list of what we will issue CVEs for. I'm only saying this because I met with Mitre, and they want a canonical list of what we will and will not cover. We can also say something like, "Scope The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope" but then that might be more broad than we want. Go has one that says, "Vulnerabilities in software published by the Go Project (including the Go standard library, Go toolchain, and the golang.org modules) and publicly disclosed vulnerabilities in publicly importable packages in the Go ecosystem, unless covered by another CNA’s scope". So we could say something very similar to that.
How about
Jun 13 2024
I met with Mitre today and there are two issues to address before we can have the official onboarding meeting with the whole team.
They wanted to get very clear on the scope and we need to have a proper advisory page.
Jun 10 2024
@Physikerwelt thank you for reporting this. This issue looks like it's referring to CVE-2023-39663 which only affects versions of Mathjax under and including 2.7.9. The current version of Mathjax for WMF production is 3.2.2 so WMF systems are not affected. I'm marking this as resolved, but if you have any other questions or comments, please let us know.
legal approved terms of service in coupa. I'm meeting with Mitre this week to talk about our scope and advisory page. There might need to be some udpates. More to come
Jun 5 2024
Jun 4 2024
Jun 3 2024
@acooper I filled out a coupa request with legal
May 31 2024
Mitre responded on May 15, but I was OOO so I filled out the CNA registration form today. I did reach out to legal about the terms of service as well. The next steps are for Mitre to schedule a meeting to discuss the program more. If anyone is interested in the onboarding materials, there is information about the onboarding process and the CNA Rules.
May 30 2024
May 16 2024
May 15 2024
May 9 2024
May 7 2024
@jsn.sherman I'll aim for the end of May for this review, but in case I'm not able to post it, you can go ahead and get the pilot rolling
May 6 2024
@jsn.sherman thank for letting me know, is there a deadline that I should know about for the review? If not, I will post mid June.
Supplemental announcement is out!
Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.7/1.40.3/1.41.1)
Apr 23 2024
@ashley Since MediaWikiChat is not deployed in WMF production, this patch can be pushed through github.
Apr 15 2024
security issue access has been granted
Apr 13 2024
Apr 10 2024
Apr 8 2024
@Samwalton9-WMF this review will be scoped to the extension only, the models will be out of scope for this review. Is it possible that this tool will replace existing auto moderator tools? For the timeline, does that mean the review can start in May? We're planning to do this review this quarter.
Apr 5 2024
It looks like it's not too bad to convert from CycloneDX to SPDX, so even if we decide to go with CycloneDX we can still get the SPDX data if we want it. CycloneDX seems to have more tooling and also provides a license scanner to look at the licenses @Jdforrester-WMF was referencing.