[go: up one dir, main page]
Page MenuHomePhabricator
People mmartorana

mmartorana (manfredi martorana)
Application Security Engineer

Projects

Calendar

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Nov 5 2021, 2:54 PM (158 w, 1 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
MMartorana (WMF) [ Global Accounts ]

Recent Activity
View All

Yesterday

mmartorana added a comment to T379005: Discuss and determine django ORM structure for initial application.

Hey @sbassett - let’s discuss further in the MR I’ll submit - it should make things clearer.

Fri, Nov 15, 10:04 AM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana updated the task description for T380014: Onboard Jimmy Ly to the Security Team.
Fri, Nov 15, 9:41 AM · Security Team AppSec, Security-Team
mmartorana updated the task description for T380014: Onboard Jimmy Ly to the Security Team.
Fri, Nov 15, 9:40 AM · Security Team AppSec, Security-Team
mmartorana updated the task description for T380014: Onboard Jimmy Ly to the Security Team.
Fri, Nov 15, 9:37 AM · Security Team AppSec, Security-Team
mmartorana created T380014: Onboard Jimmy Ly to the Security Team.
Fri, Nov 15, 9:07 AM · Security Team AppSec, Security-Team

Wed, Nov 13

mmartorana added a comment to T369950: Application Security Review Request : Chart extension and chart-renderer service.
In T369950#10314778, @CCiufo-WMF wrote:

Hey @mmartorana, checking in on how this is progressing. We deployed Charts to test-commons and testwiki last week, and are preparing to deploy to test2wiki and production Commons as early as next week (for testing purposes only). Pilot wiki deployment would follow soon after but would be awaiting the results from this review.

Wed, Nov 13, 3:49 PM · Charts, secscrum, Security, Application Security Reviews

Mon, Nov 11

mmartorana added a comment to T379005: Discuss and determine django ORM structure for initial application.
In T379005#10305616, @sbassett wrote:
In T379005#10296661, @mmartorana wrote:

Regarding the classes, I think for now, since we're aiming for an MVP, we could add a Result class, a User class (to handle different roles), and a Configuration/Settings class to store various tool settings.

I think result could just be a field under the Task model, since it would likely just be a json blob stored on disk or in mariadb. If we're going to leverage django's built-in user management capabilities, I'd argue that we probably don't need a User model at this time, for the API. Eventually we'll likely want to provide basic CRUD and token-granting for user/role management via the API, but that seems beyond the scope of an MVP IMO. I think tool config could likely be handled via a many-to-one relationship in the Tool table.

I also have some suggestions about the model fields. @sbassett, would you like to discuss model fields as well?

Sure.

@Mstyles - any thoughts on this or anything else?

Mon, Nov 11, 4:47 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team

Wed, Nov 6

mmartorana added a comment to T379007: Discuss best authn/z methods for initial phase of application development.

Hey - for the initial authn/z setup, I recommend using Django's built-in system. It's a solid, easy, and secure starting point.

Wed, Nov 6, 4:41 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana added a comment to T379005: Discuss and determine django ORM structure for initial application.

Hey, this looks good as starting point.

Wed, Nov 6, 3:56 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team

Mon, Nov 4

mmartorana added a comment to T369950: Application Security Review Request : Chart extension and chart-renderer service.
In T369950#10285610, @Jdlrobson wrote:

@sbassett @mmartorana following our conversation earlier in the week, we've added the components for client side hydration (with feature flag) so the codebase is now in a stable place and ready for your inspection and advice.

Mon, Nov 4, 11:27 AM · Charts, secscrum, Security, Application Security Reviews

Thu, Oct 31

mmartorana changed the visibility for T377222: Don’t use raw HTML messages in safe mode.
Thu, Oct 31, 3:12 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team

Wed, Oct 30

mmartorana added a comment to T369950: Application Security Review Request : Chart extension and chart-renderer service.

Hi @CCiufo-WMF, @NBaca-WMF and team - following our meeting, I will remove this extension from our risk register since you plan to wait for our review before proceeding with deployment.

Wed, Oct 30, 5:41 PM · Charts, secscrum, Security, Application Security Reviews

Mon, Oct 28

mmartorana updated subscribers of T369950: Application Security Review Request : Chart extension and chart-renderer service.

Hi everyone, I wanted to share an update to inform @acooper and the security team that this extension will undergo some architectural changes in the coming weeks.

Mon, Oct 28, 6:02 PM · Charts, secscrum, Security, Application Security Reviews

Wed, Oct 23

mmartorana changed the status of T377769: Research and determine initial security tools , a subtask of T371814: [EPIC] Universal Security Dashboard, from Open to In Progress.
Wed, Oct 23, 1:30 PM · SecTeam-Processed, Universal Security Dashboard, user-sbassett, Epic, Security, Security-Team
mmartorana changed the status of T377769: Research and determine initial security tools from Open to In Progress.
Wed, Oct 23, 1:30 PM · Universal Security Dashboard, Security, Security-Team

Mon, Oct 21

mmartorana updated subscribers of T371814: [EPIC] Universal Security Dashboard.
Mon, Oct 21, 5:12 PM · SecTeam-Processed, Universal Security Dashboard, user-sbassett, Epic, Security, Security-Team

Oct 17 2024

mmartorana added a comment to T369950: Application Security Review Request : Chart extension and chart-renderer service.

Hi @CCiufo-WMF and team, I understand that your plan is to deploy soon, but after some evaluation, I plan to submit my review by mid-November.

Oct 17 2024, 4:06 PM · Charts, secscrum, Security, Application Security Reviews

Oct 16 2024

mmartorana triaged T377222: Don’t use raw HTML messages in safe mode as Low priority.
Oct 16 2024, 3:38 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team

Oct 14 2024

mmartorana added a comment to T369950: Application Security Review Request : Chart extension and chart-renderer service.
In T369950#10212714, @CCiufo-WMF wrote:

Just a note that we are not yet ready for the Charts service + extension to be reviewed, but hope to be at that point by the end of next week. (cc @Jdlrobson)

Oct 14 2024, 2:35 PM · Charts, secscrum, Security, Application Security Reviews

Oct 9 2024

mmartorana changed the status of T371821: Investigate reporting options for various tools, tabular CLI reports, etc. from Open to In Progress.

After doing some research, I believe we can effectively utilize Django’s built-in capabilities for reporting and managing tabular data in our Universal Security Dashboard. Django’s ORM simplifies data querying and manipulation, while its templating system enables the rendering of tables in web views.

Oct 9 2024, 4:32 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana changed the status of T371821: Investigate reporting options for various tools, tabular CLI reports, etc., a subtask of T371814: [EPIC] Universal Security Dashboard, from Open to In Progress.
Oct 9 2024, 4:31 PM · SecTeam-Processed, Universal Security Dashboard, user-sbassett, Epic, Security, Security-Team

Oct 8 2024

mmartorana closed T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance, a subtask of T371814: [EPIC] Universal Security Dashboard, as Resolved.
Oct 8 2024, 10:06 AM · SecTeam-Processed, Universal Security Dashboard, user-sbassett, Epic, Security, Security-Team
mmartorana closed T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance as Resolved.
Oct 8 2024, 10:06 AM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team

Sep 27 2024

mmartorana awarded T360365: Application Security Review Request : New Plugins for Upcoming WMF & WEND Digital Annual Reports - WordPress a Yellow Medal token.
Sep 27 2024, 1:24 PM · secscrum, Security, Application Security Reviews

Sep 26 2024

mmartorana changed the status of T375307: Vulnerability: Broken Authentication & Session Management from Open to In Progress.
Sep 26 2024, 2:49 PM · MediaWiki-Platform-Team, MediaWiki-Core-AuthManager, SecTeam-Processed, Vuln-Authn/Session, Security, Security-Team

Sep 6 2024

mmartorana closed T373930: Requesting access to SRE related mailing list security@wikimedia.org as Resolved.

Done (confirmed via T373713)

Sep 6 2024, 9:12 AM · SecTeam-Processed, Security-Team
mmartorana closed T373713: Security Issue Access Request for (jasmine_) as Resolved.

Hey @jasmine_ - I have granted access to acl*security_sre .

Sep 6 2024, 9:06 AM · SecTeam-Processed, Security-Team, Security
mmartorana added a member for acl*security_sre: jasmine_.
Sep 6 2024, 9:02 AM

Aug 28 2024

mmartorana added a comment to T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance.
In T371818#10093749, @sbassett wrote:

Just FYI, I'm trying to get a new, dedicated dev/test/stage VPS project created for this work: T373386. Of note: we'll definitely want to create a proper puppet manifest for the primary app instance run under this project (and have it live within the wmf puppet repo), likely very similar to what exists for quarry, but probably simpler in this case.

Aug 28 2024, 3:30 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana changed the status of T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance, a subtask of T371814: [EPIC] Universal Security Dashboard, from Open to In Progress.
Aug 28 2024, 3:17 PM · SecTeam-Processed, Universal Security Dashboard, user-sbassett, Epic, Security, Security-Team
mmartorana changed the status of T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance from Open to In Progress.
Aug 28 2024, 3:17 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana moved T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance from Backlog to In Progress on the Universal Security Dashboard board.
Aug 28 2024, 3:16 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana changed the status of Restricted Task, a subtask of T372702: editors are repeatedly getting logged out (August 2024), from Open to In Progress.
Aug 28 2024, 2:52 PM · MW-1.43-notes (1.43.0-wmf.28; 2024-10-22), MW-1.44-notes (1.44.0-wmf.1; 2024-10-29), Temporary accounts, MediaWiki-Platform-Team, Wikidata, MediaWiki-User-login-and-signup

Aug 21 2024

mmartorana closed T366233: Application Security Review Request : Metrics Platform extension as Resolved.

Security Review Summary - T366233 - 2024-08-21
Last commit reviewed: 18f9619

Aug 21 2024, 5:12 PM · secscrum, Security, Application Security Reviews
mmartorana closed T366233: Application Security Review Request : Metrics Platform extension, a subtask of T366234: Deploy the Metrics Platform extension, as Resolved.
Aug 21 2024, 5:11 PM · Metrics Platform, Data Products (Data Products Sprint 17), Wikimedia-extension-review-queue, Wikimedia-Extension-setup

Aug 16 2024

mmartorana added a comment to T366233: Application Security Review Request : Metrics Platform extension.

Hello, thank you for informing us. The review will be published shortly.

Aug 16 2024, 3:36 PM · secscrum, Security, Application Security Reviews

Jul 31 2024

mmartorana closed T370867: security@wikimedia.org access required for tappof as Resolved.

Hi @tappof - I have granted access to security@wikimedia.org.

Jul 31 2024, 5:04 PM · SecTeam-Processed, Security-Team
mmartorana closed T370850: Security Issue Access Request for (tappof) as Resolved.

Hi @tappof - I have granted access to acl*security_sre .

Jul 31 2024, 10:38 AM · SecTeam-Processed, Security-Team, Security
mmartorana added a member for acl*security_sre: tappof.
Jul 31 2024, 10:34 AM

Jul 25 2024

mmartorana moved T370056: Test the string export feature of the tool from Stalled/Waiting to Completed on the wikimedia-risk-calculator board.
Jul 25 2024, 10:07 AM · wikimedia-risk-calculator

Jul 24 2024

mmartorana moved T367879: Create a spreadsheet for wikimedia risk rating calculator use cases from In Progress to Completed on the wikimedia-risk-calculator board.
Jul 24 2024, 3:47 PM · wikimedia-risk-calculator
mmartorana added a comment to T367879: Create a spreadsheet for wikimedia risk rating calculator use cases.

Practical Application and Results section added: https://www.mediawiki.org/wiki/Security/Wikimedia_Risk_Calculator

Jul 24 2024, 3:47 PM · wikimedia-risk-calculator
mmartorana moved T370056: Test the string export feature of the tool from In Progress to Stalled/Waiting on the wikimedia-risk-calculator board.
Jul 24 2024, 3:35 PM · wikimedia-risk-calculator
mmartorana updated the task description for T370056: Test the string export feature of the tool .
Jul 24 2024, 3:22 PM · wikimedia-risk-calculator
mmartorana moved T370056: Test the string export feature of the tool from Backlog to In Progress on the wikimedia-risk-calculator board.
Jul 24 2024, 3:21 PM · wikimedia-risk-calculator

Jul 23 2024

mmartorana added a comment to T370081: CVE-2024-47840: Stored XSS through sidebar in Apex skin.
In T370081#9982471, @R4356th wrote:

Seeing as the skin is not actively maintained and the original author has been away for a long time now, would the Security Team be able to merge a patch to this?

Also, this is actually the same issue as T361452; are similar cases being tracked anywhere?

Jul 23 2024, 3:56 PM · Patch-For-Review, SecTeam-Processed, Vuln-XSS, Apex, Security
mmartorana changed the status of T370081: CVE-2024-47840: Stored XSS through sidebar in Apex skin from Open to In Progress.
Jul 23 2024, 3:54 PM · Patch-For-Review, SecTeam-Processed, Vuln-XSS, Apex, Security

Jul 19 2024

sbassett awarded T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0) a Like token.
Jul 19 2024, 4:42 PM · user-sbassett, MediaWiki-Releasing, Security

Jul 17 2024

mmartorana added a comment to T367440: Attempt to condense trivy scanning output and avoid false positive exit code.

Issue number 2 has now successfully been addressed.

Jul 17 2024, 3:45 PM · GitLab-Application-Security-Pipeline, Security, Security Team AppSec, Security-Team

Jul 15 2024

mmartorana created T370056: Test the string export feature of the tool .
Jul 15 2024, 2:50 PM · wikimedia-risk-calculator
mmartorana renamed wikimedia-risk-calculator from risk-rating-toolkit to wikimedia-risk-calculator.
Jul 15 2024, 2:48 PM

Jul 10 2024

mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 10 2024, 9:24 AM · user-sbassett, MediaWiki-Releasing, Security
mmartorana changed the visibility for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 10 2024, 9:23 AM · user-sbassett, MediaWiki-Releasing, Security
mmartorana closed T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0) as Resolved.

Supplemental announcement is out!

Jul 10 2024, 9:23 AM · user-sbassett, MediaWiki-Releasing, Security
mmartorana closed T363773: CVE-2024-40613: Evil regex used to process gadget definitions as Resolved.
Jul 10 2024, 8:58 AM · Patch-For-Review, security-bug, SecTeam-Processed, MediaWiki-extensions-Gadgets, Vuln-DoS, Security, Security-Team
mmartorana changed the visibility for T268147: CVE-2024-40611: Special:CheckUser shows deleted edits to non-admins.
Jul 10 2024, 8:54 AM · Trust and Safety Product Team, CheckUser, Vuln-Infoleak, User-DannyS712, Security
mmartorana changed the visibility for T338419: CVE-2024-40609: Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode.
Jul 10 2024, 8:53 AM · Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)), MW-1.42-notes, MW-1.43-notes (1.43.0-wmf.4; 2024-05-07), Patch-For-Review, Trust and Safety Product Team, SecTeam-Processed, CheckUser, Vuln-DoS, Security
mmartorana changed the visibility for T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL.
Jul 10 2024, 8:52 AM · Patch-For-Review, SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team, CheckUser, Security
mmartorana changed the visibility for T361296: CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them.
Jul 10 2024, 8:52 AM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), Patch-For-Review, SecTeam-Processed, security-bug, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana changed the visibility for T361295: CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them.
Jul 10 2024, 8:52 AM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Patch-For-Review, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana closed T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar as Resolved.
Jul 10 2024, 8:51 AM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security
mmartorana changed the visibility for T361293: CVE-2024-40606: Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it.
Jul 10 2024, 8:51 AM · SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.26; 2024-04-09), security-bug, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 10 2024, 8:49 AM · user-sbassett, MediaWiki-Releasing, Security

Jul 9 2024

mmartorana added a comment to T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar.

A pull request for this patch has been submitted on github: https://github.com/lingua-libre/BlueLL/pull/18

Jul 9 2024, 8:17 AM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security

Jul 8 2024

mmartorana renamed T363773: CVE-2024-40613: Evil regex used to process gadget definitions from Evil regex used to process gadget definitions to CVE-2024-40613: Evil regex used to process gadget definitions.
Jul 8 2024, 5:38 PM · Patch-For-Review, security-bug, SecTeam-Processed, MediaWiki-extensions-Gadgets, Vuln-DoS, Security, Security-Team
mmartorana renamed T363884: CVE-2024-40603: Special:ChangeRating is vulnerable to CSRF from Special:ChangeRating is vulnerable to CSRF to CVE-2024-40603: Special:ChangeRating is vulnerable to CSRF.
Jul 8 2024, 5:38 PM · SecTeam-Processed, Vuln-CSRF, ArticleRatings, Security
mmartorana renamed T362588: CVE-2024-40601: Classic CSRF in MediaWikiChat's API modules from Classic CSRF in MediaWikiChat's API modules to CVE-2024-40601: Classic CSRF in MediaWikiChat's API modules.
Jul 8 2024, 5:37 PM · security-bug, SecTeam-Processed, Vuln-CSRF, MediaWikiChat, Security
mmartorana renamed T361449: CVE-2024-40600: Metrolook skin: stored XSS via MediaWiki:Sidebar from Metrolook skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40600: Metrolook skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:37 PM · SecTeam-Processed, security-bug, Metrolook, Vuln-XSS, Security, Security-Team
mmartorana renamed T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar from BlueLL skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:37 PM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security
mmartorana renamed T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar from Foreground skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security
mmartorana renamed T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar from Tempo skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
mmartorana renamed T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar from Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar to CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, Nimbus, Vuln-XSS, Security
mmartorana renamed T361448: CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar from GuMaxDD skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, MediaWiki-skins-GuMaxDD, Vuln-XSS, Security
mmartorana renamed T326866: CVE-2024-40596: Special:Investigate can expose suppressed information for log events from Special:Investigate can expose suppressed information for log events to CVE-2024-40596: Special:Investigate can expose suppressed information for log events.
Jul 8 2024, 5:35 PM · MW-1.43-notes (1.43.0-wmf.7; 2024-05-28), Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)), Trust and Safety Product Team, CheckUser, SecTeam-Processed, Vuln-Infoleak, Security
mmartorana renamed T268147: CVE-2024-40611: Special:CheckUser shows deleted edits to non-admins from Special:CheckUser shows deleted edits to non-admins to CVE-2024-40611: Special:CheckUser shows deleted edits to non-admins.
Jul 8 2024, 5:35 PM · Trust and Safety Product Team, CheckUser, Vuln-Infoleak, User-DannyS712, Security
mmartorana renamed T338419: CVE-2024-40609: Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode from Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode to CVE-2024-40609: Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode.
Jul 8 2024, 5:34 PM · Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)), MW-1.42-notes, MW-1.43-notes (1.43.0-wmf.4; 2024-05-07), Patch-For-Review, Trust and Safety Product Team, SecTeam-Processed, CheckUser, Vuln-DoS, Security
mmartorana renamed T326865: CVE-2024-40597: Special:CheckUser can expose suppressed information for log events from Special:CheckUser can expose suppressed information for log events to CVE-2024-40597: Special:CheckUser can expose suppressed information for log events.
Jul 8 2024, 5:34 PM · MW-1.43-notes (1.43.0-wmf.1; 2024-04-16), Trust and Safety Product Team, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), CheckUser, SecTeam-Processed, Vuln-Infoleak, Security
mmartorana renamed T326867: CVE-2024-40598: CheckUser API can expose suppressed information for log events from CheckUser API can expose suppressed information for log events to CVE-2024-40598: CheckUser API can expose suppressed information for log events.
Jul 8 2024, 5:33 PM · Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), CheckUser, SecTeam-Processed, Vuln-Infoleak, Security
mmartorana renamed T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL from Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL to CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL.
Jul 8 2024, 5:33 PM · Patch-For-Review, SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team, CheckUser, Security
mmartorana renamed T361296: CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them from Special:Investigate exposes suppressed usernames to those who do not have the rights to see them to CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them.
Jul 8 2024, 5:33 PM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), Patch-For-Review, SecTeam-Processed, security-bug, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana renamed T361295: CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them from CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them to CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them.
Jul 8 2024, 5:32 PM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Patch-For-Review, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana renamed T361293: CVE-2024-40606: Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it from Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it to CVE-2024-40606: Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it.
Jul 8 2024, 5:32 PM · SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.26; 2024-04-09), security-bug, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security
mmartorana added a comment to T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.0)

Jul 8 2024, 5:31 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 8 2024, 3:45 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 8 2024, 3:26 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 8 2024, 3:17 PM · user-sbassett, MediaWiki-Releasing, Security

Jul 3 2024

mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 3 2024, 2:22 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 3 2024, 2:18 PM · user-sbassett, MediaWiki-Releasing, Security

Jun 27 2024

mmartorana moved T360365: Application Security Review Request : New Plugins for Upcoming WMF & WEND Digital Annual Reports - WordPress from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T360365 - 2024-06-27

Jun 27 2024, 4:44 PM · secscrum, Security, Application Security Reviews

Jun 20 2024

mmartorana moved T361961: Security Review For reefjs (potentially used by Wikipedia Preview) from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T361961 - 2024-06-20

Jun 20 2024, 4:27 PM · Inuka-Team, Wikipedia-Preview, Application Security Reviews, secscrum

Jun 18 2024

mmartorana moved T367879: Create a spreadsheet for wikimedia risk rating calculator use cases from Backlog to In Progress on the wikimedia-risk-calculator board.
Jun 18 2024, 2:01 PM · wikimedia-risk-calculator
mmartorana changed the status of T367879: Create a spreadsheet for wikimedia risk rating calculator use cases from Open to In Progress.
Jun 18 2024, 2:01 PM · wikimedia-risk-calculator
mmartorana updated the task description for T367879: Create a spreadsheet for wikimedia risk rating calculator use cases.
Jun 18 2024, 2:01 PM · wikimedia-risk-calculator
mmartorana created T367879: Create a spreadsheet for wikimedia risk rating calculator use cases.
Jun 18 2024, 1:58 PM · wikimedia-risk-calculator
mmartorana moved T366818: Add documentation for Wikimedia Risk Calculator on mediawiki.org from In Progress to Completed on the wikimedia-risk-calculator board.
Jun 18 2024, 1:57 PM · SecTeam-Processed, Documentation, Security-Team, Security, wikimedia-risk-calculator
mmartorana changed the status of T366818: Add documentation for Wikimedia Risk Calculator on mediawiki.org from Open to In Progress.
Jun 18 2024, 9:38 AM · SecTeam-Processed, Documentation, Security-Team, Security, wikimedia-risk-calculator

Jun 14 2024

mmartorana closed T307523: Investigate container scanning options within the context of the Gitlab appsec pipeline as Resolved.
Jun 14 2024, 3:53 PM · GitLab-Application-Security-Pipeline, SecTeam-Processed, GitLab (CI & Job Runners), Security, Security Team AppSec, Security-Team
mmartorana closed T307523: Investigate container scanning options within the context of the Gitlab appsec pipeline, a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, as Resolved.
Jun 14 2024, 3:53 PM · Epic, user-sbassett, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana changed the status of T367440: Attempt to condense trivy scanning output and avoid false positive exit code from Open to In Progress.
Jun 14 2024, 3:52 PM · GitLab-Application-Security-Pipeline, Security, Security Team AppSec, Security-Team

Jun 6 2024

mmartorana moved T366816: Add toolforge cron script to repo from In Progress to Completed on the wikimedia-risk-calculator board.
Jun 6 2024, 10:06 PM · Security-Team, wikimedia-risk-calculator, Security
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits