Page MenuHomePhabricator
People mmartorana

mmartorana (manfredi martorana)
Application Security Engineer

Projects

Calendar

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Nov 5 2021, 2:54 PM (146 w, 5 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
MMartorana (WMF) [ Global Accounts ]

Recent Activity
View All

Today

mmartorana added a comment to T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance.

Absolutely! It seems that debmonitor one is quite similar to what we aim to build for this and looks much simpler like you said.

Wed, Aug 28, 3:30 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana changed the status of T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance, a subtask of T371814: [EPIC] Universal Security Dashboard, from Open to In Progress.
Wed, Aug 28, 3:17 PM · SecTeam-Processed, Universal Security Dashboard, user-sbassett, Epic, Security, Security-Team
mmartorana changed the status of T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance from Open to In Progress.
Wed, Aug 28, 3:17 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana moved T371818: Investigate puppet configuration/profile for a stand-alone python/django application under wmcs bookworm instance from Backlog to In Progress on the Universal Security Dashboard board.
Wed, Aug 28, 3:16 PM · SecTeam-Processed, Universal Security Dashboard, Security, Security-Team
mmartorana changed the status of Restricted Task, a subtask of T372702: editors are repeatedly getting logged out (August 2024), from Open to In Progress.
Wed, Aug 28, 2:52 PM · MediaWiki-Platform-Team, Wikidata, MediaWiki-User-login-and-signup

Wed, Aug 21

mmartorana closed T366233: Application Security Review Request : Metrics Platform extension as Resolved.

Security Review Summary - T366233 - 2024-08-21
Last commit reviewed: 18f9619

Wed, Aug 21, 5:12 PM · secscrum, Security, Application Security Reviews
mmartorana closed T366233: Application Security Review Request : Metrics Platform extension, a subtask of T366234: Deploy the Metrics Platform extension, as Resolved.
Wed, Aug 21, 5:11 PM · Metrics Platform, Data Products (Data Products Sprint 17), Wikimedia-extension-review-queue, Wikimedia-Extension-setup

Fri, Aug 16

mmartorana added a comment to T366233: Application Security Review Request : Metrics Platform extension.

Hello, thank you for informing us. The review will be published shortly.

Fri, Aug 16, 3:36 PM · secscrum, Security, Application Security Reviews

Wed, Jul 31

mmartorana closed T370867: [email protected] access required for tappof as Resolved.

Hi @tappof - I have granted access to [email protected].

Wed, Jul 31, 5:04 PM · SecTeam-Processed, Security-Team
mmartorana closed T370850: Security Issue Access Request for (tappof) as Resolved.

Hi @tappof - I have granted access to acl*security_sre .

Wed, Jul 31, 10:38 AM · SecTeam-Processed, Security-Team, Security
mmartorana added a member for acl*security_sre: tappof.
Wed, Jul 31, 10:34 AM

Jul 25 2024

mmartorana moved T370056: Test the string export feature of the tool from Stalled/Waiting to Completed on the wikimedia-risk-calculator board.
Jul 25 2024, 10:07 AM · wikimedia-risk-calculator

Jul 24 2024

mmartorana moved T367879: Create a spreadsheet for wikimedia risk rating calculator use cases from In Progress to Completed on the wikimedia-risk-calculator board.
Jul 24 2024, 3:47 PM · wikimedia-risk-calculator
mmartorana added a comment to T367879: Create a spreadsheet for wikimedia risk rating calculator use cases.

Practical Application and Results section added: https://www.mediawiki.org/wiki/Security/Wikimedia_Risk_Calculator

Jul 24 2024, 3:47 PM · wikimedia-risk-calculator
mmartorana moved T370056: Test the string export feature of the tool from In Progress to Stalled/Waiting on the wikimedia-risk-calculator board.
Jul 24 2024, 3:35 PM · wikimedia-risk-calculator
mmartorana updated the task description for T370056: Test the string export feature of the tool .
Jul 24 2024, 3:22 PM · wikimedia-risk-calculator
mmartorana moved T370056: Test the string export feature of the tool from Backlog to In Progress on the wikimedia-risk-calculator board.
Jul 24 2024, 3:21 PM · wikimedia-risk-calculator

Jul 19 2024

sbassett awarded T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0) a Like token.
Jul 19 2024, 4:42 PM · user-sbassett, MediaWiki-Releasing, Security

Jul 17 2024

mmartorana added a comment to T367440: Attempt to condense trivy scanning output and avoid false positive exit code.

Issue number 2 has now successfully been addressed.

Jul 17 2024, 3:45 PM · GitLab-Application-Security-Pipeline, Security, Security Team AppSec, Security-Team

Jul 15 2024

mmartorana created T370056: Test the string export feature of the tool .
Jul 15 2024, 2:50 PM · wikimedia-risk-calculator
mmartorana renamed wikimedia-risk-calculator from risk-rating-toolkit to wikimedia-risk-calculator.
Jul 15 2024, 2:48 PM

Jul 10 2024

mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 10 2024, 9:24 AM · user-sbassett, MediaWiki-Releasing, Security
mmartorana changed the visibility for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 10 2024, 9:23 AM · user-sbassett, MediaWiki-Releasing, Security
mmartorana closed T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0) as Resolved.

Supplemental announcement is out!

Jul 10 2024, 9:23 AM · user-sbassett, MediaWiki-Releasing, Security
mmartorana closed T363773: CVE-2024-40613: Evil regex used to process gadget definitions as Resolved.
Jul 10 2024, 8:58 AM · Patch-For-Review, security-bug, SecTeam-Processed, MediaWiki-extensions-Gadgets, Vuln-DoS, Security, Security-Team
mmartorana changed the visibility for T268147: CVE-2024-40611: Special:CheckUser shows deleted edits to non-admins.
Jul 10 2024, 8:54 AM · Trust and Safety Product Team, CheckUser, Vuln-Infoleak, User-DannyS712, Security
mmartorana changed the visibility for T338419: CVE-2024-40609: Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode.
Jul 10 2024, 8:53 AM · Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)), MW-1.42-notes, MW-1.43-notes (1.43.0-wmf.4; 2024-05-07), Patch-For-Review, Trust and Safety Product Team, SecTeam-Processed, CheckUser, Vuln-DoS, Security
mmartorana changed the visibility for T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL.
Jul 10 2024, 8:52 AM · Patch-For-Review, SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team, CheckUser, Security
mmartorana changed the visibility for T361296: CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them.
Jul 10 2024, 8:52 AM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), Patch-For-Review, SecTeam-Processed, security-bug, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana changed the visibility for T361295: CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them.
Jul 10 2024, 8:52 AM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Patch-For-Review, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana closed T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar as Resolved.
Jul 10 2024, 8:51 AM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security
mmartorana changed the visibility for T361293: CVE-2024-40606: Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it.
Jul 10 2024, 8:51 AM · SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.26; 2024-04-09), security-bug, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 10 2024, 8:49 AM · user-sbassett, MediaWiki-Releasing, Security

Jul 9 2024

mmartorana added a comment to T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar.

A pull request for this patch has been submitted on github: https://github.com/lingua-libre/BlueLL/pull/18

Jul 9 2024, 8:17 AM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security

Jul 8 2024

mmartorana renamed T363773: CVE-2024-40613: Evil regex used to process gadget definitions from Evil regex used to process gadget definitions to CVE-2024-40613: Evil regex used to process gadget definitions.
Jul 8 2024, 5:38 PM · Patch-For-Review, security-bug, SecTeam-Processed, MediaWiki-extensions-Gadgets, Vuln-DoS, Security, Security-Team
mmartorana renamed T363884: CVE-2024-40603: Special:ChangeRating is vulnerable to CSRF from Special:ChangeRating is vulnerable to CSRF to CVE-2024-40603: Special:ChangeRating is vulnerable to CSRF.
Jul 8 2024, 5:38 PM · SecTeam-Processed, Vuln-CSRF, ArticleRatings, Security
mmartorana renamed T362588: CVE-2024-40601: Classic CSRF in MediaWikiChat's API modules from Classic CSRF in MediaWikiChat's API modules to CVE-2024-40601: Classic CSRF in MediaWikiChat's API modules.
Jul 8 2024, 5:37 PM · security-bug, SecTeam-Processed, Vuln-CSRF, MediaWikiChat, Security
mmartorana renamed T361449: CVE-2024-40600: Metrolook skin: stored XSS via MediaWiki:Sidebar from Metrolook skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40600: Metrolook skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:37 PM · SecTeam-Processed, security-bug, Metrolook, Vuln-XSS, Security, Security-Team
mmartorana renamed T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar from BlueLL skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:37 PM · security-bug, SecTeam-Processed, Lingua-Libre, Vuln-XSS, Security
mmartorana renamed T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar from Foreground skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, MediaWiki-skins-Foreground, Vuln-XSS, Security
mmartorana renamed T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar from Tempo skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, Other-skins, Vuln-XSS, Security
mmartorana renamed T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar from Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar to CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, Nimbus, Vuln-XSS, Security
mmartorana renamed T361448: CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar from GuMaxDD skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar.
Jul 8 2024, 5:36 PM · security-bug, SecTeam-Processed, MediaWiki-skins-GuMaxDD, Vuln-XSS, Security
mmartorana renamed T326866: CVE-2024-40596: Special:Investigate can expose suppressed information for log events from Special:Investigate can expose suppressed information for log events to CVE-2024-40596: Special:Investigate can expose suppressed information for log events.
Jul 8 2024, 5:35 PM · MW-1.43-notes (1.43.0-wmf.7; 2024-05-28), Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)), Trust and Safety Product Team, CheckUser, SecTeam-Processed, Vuln-Infoleak, Security
mmartorana renamed T268147: CVE-2024-40611: Special:CheckUser shows deleted edits to non-admins from Special:CheckUser shows deleted edits to non-admins to CVE-2024-40611: Special:CheckUser shows deleted edits to non-admins.
Jul 8 2024, 5:35 PM · Trust and Safety Product Team, CheckUser, Vuln-Infoleak, User-DannyS712, Security
mmartorana renamed T338419: CVE-2024-40609: Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode from Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode to CVE-2024-40609: Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode.
Jul 8 2024, 5:34 PM · Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)), MW-1.42-notes, MW-1.43-notes (1.43.0-wmf.4; 2024-05-07), Patch-For-Review, Trust and Safety Product Team, SecTeam-Processed, CheckUser, Vuln-DoS, Security
mmartorana renamed T326865: CVE-2024-40597: Special:CheckUser can expose suppressed information for log events from Special:CheckUser can expose suppressed information for log events to CVE-2024-40597: Special:CheckUser can expose suppressed information for log events.
Jul 8 2024, 5:34 PM · MW-1.43-notes (1.43.0-wmf.1; 2024-04-16), Trust and Safety Product Team, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), CheckUser, SecTeam-Processed, Vuln-Infoleak, Security
mmartorana renamed T326867: CVE-2024-40598: CheckUser API can expose suppressed information for log events from CheckUser API can expose suppressed information for log events to CVE-2024-40598: CheckUser API can expose suppressed information for log events.
Jul 8 2024, 5:33 PM · Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), CheckUser, SecTeam-Processed, Vuln-Infoleak, Security
mmartorana renamed T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL from Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL to CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL.
Jul 8 2024, 5:33 PM · Patch-For-Review, SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team, CheckUser, Security
mmartorana renamed T361296: CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them from Special:Investigate exposes suppressed usernames to those who do not have the rights to see them to CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them.
Jul 8 2024, 5:33 PM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), Patch-For-Review, SecTeam-Processed, security-bug, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana renamed T361295: CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them from CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them to CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them.
Jul 8 2024, 5:32 PM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Patch-For-Review, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security, Security-Team
mmartorana renamed T361293: CVE-2024-40606: Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it from Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it to CVE-2024-40606: Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it.
Jul 8 2024, 5:32 PM · SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.26; 2024-04-09), security-bug, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak, Trust and Safety Product Team, CheckUser, Security
mmartorana added a comment to T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.0)

Jul 8 2024, 5:31 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 8 2024, 3:45 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 8 2024, 3:26 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 8 2024, 3:17 PM · user-sbassett, MediaWiki-Releasing, Security

Jul 3 2024

mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 3 2024, 2:22 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
Jul 3 2024, 2:18 PM · user-sbassett, MediaWiki-Releasing, Security

Jun 27 2024

mmartorana moved T360365: Application Security Review Request : New Plugins for Upcoming WMF & WEND Digital Annual Reports - WordPress from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T360365 - 2024-06-27

Jun 27 2024, 4:44 PM · secscrum, Security, Application Security Reviews

Jun 20 2024

mmartorana moved T361961: Security Review For reefjs (potentially used by Wikipedia Preview) from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T361961 - 2024-06-20

Jun 20 2024, 4:27 PM · Inuka-Team, Wikipedia-Preview, secscrum, Application Security Reviews

Jun 18 2024

mmartorana moved T367879: Create a spreadsheet for wikimedia risk rating calculator use cases from Backlog to In Progress on the wikimedia-risk-calculator board.
Jun 18 2024, 2:01 PM · wikimedia-risk-calculator
mmartorana changed the status of T367879: Create a spreadsheet for wikimedia risk rating calculator use cases from Open to In Progress.
Jun 18 2024, 2:01 PM · wikimedia-risk-calculator
mmartorana updated the task description for T367879: Create a spreadsheet for wikimedia risk rating calculator use cases.
Jun 18 2024, 2:01 PM · wikimedia-risk-calculator
mmartorana created T367879: Create a spreadsheet for wikimedia risk rating calculator use cases.
Jun 18 2024, 1:58 PM · wikimedia-risk-calculator
mmartorana moved T366818: Add documentation for Wikimedia Risk Calculator on mediawiki.org from In Progress to Completed on the wikimedia-risk-calculator board.
Jun 18 2024, 1:57 PM · SecTeam-Processed, Documentation, Security-Team, Security, wikimedia-risk-calculator
mmartorana changed the status of T366818: Add documentation for Wikimedia Risk Calculator on mediawiki.org from Open to In Progress.
Jun 18 2024, 9:38 AM · SecTeam-Processed, Documentation, Security-Team, Security, wikimedia-risk-calculator

Jun 14 2024

mmartorana closed T307523: Investigate container scanning options within the context of the Gitlab appsec pipeline as Resolved.
Jun 14 2024, 3:53 PM · GitLab-Application-Security-Pipeline, SecTeam-Processed, GitLab (CI & Job Runners), Security, Security Team AppSec, Security-Team
mmartorana closed T307523: Investigate container scanning options within the context of the Gitlab appsec pipeline, a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, as Resolved.
Jun 14 2024, 3:53 PM · Epic, user-sbassett, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana changed the status of T367440: Attempt to condense trivy scanning output and avoid false positive exit code from Open to In Progress.
Jun 14 2024, 3:52 PM · GitLab-Application-Security-Pipeline, Security, Security Team AppSec, Security-Team

Jun 6 2024

mmartorana moved T366816: Add toolforge cron script to repo from In Progress to Completed on the wikimedia-risk-calculator board.
Jun 6 2024, 10:06 PM · Security-Team, wikimedia-risk-calculator, Security
mmartorana moved T366818: Add documentation for Wikimedia Risk Calculator on mediawiki.org from Backlog to In Progress on the wikimedia-risk-calculator board.
Jun 6 2024, 3:39 PM · SecTeam-Processed, Documentation, Security-Team, Security, wikimedia-risk-calculator
mmartorana created T366818: Add documentation for Wikimedia Risk Calculator on mediawiki.org.
Jun 6 2024, 3:38 PM · SecTeam-Processed, Documentation, Security-Team, Security, wikimedia-risk-calculator
mmartorana moved T366816: Add toolforge cron script to repo from Backlog to In Progress on the wikimedia-risk-calculator board.
Jun 6 2024, 3:36 PM · Security-Team, wikimedia-risk-calculator, Security
mmartorana updated the task description for T366816: Add toolforge cron script to repo.
Jun 6 2024, 3:32 PM · Security-Team, wikimedia-risk-calculator, Security
mmartorana changed the status of T366816: Add toolforge cron script to repo from Open to In Progress.
Jun 6 2024, 3:27 PM · Security-Team, wikimedia-risk-calculator, Security
mmartorana created T366816: Add toolforge cron script to repo.
Jun 6 2024, 3:26 PM · Security-Team, wikimedia-risk-calculator, Security
mmartorana closed T351795: Create a security bug response playbook as Resolved.
Jun 6 2024, 3:23 PM · wikimedia-risk-calculator
mmartorana closed T351794: Create a proposal for a WMF's relevant risk rating system based on CVSS as Resolved.
Jun 6 2024, 3:23 PM · wikimedia-risk-calculator
mmartorana added a comment to T366814: Implement the risk calculator and host in on toolforge .

risk calculator repo: https://gitlab.wikimedia.org/repos/security/wikimedia-risk-calculator

Jun 6 2024, 3:22 PM · Security-Team, Security, wikimedia-risk-calculator
mmartorana closed T366814: Implement the risk calculator and host in on toolforge as Resolved.
Jun 6 2024, 3:20 PM · Security-Team, Security, wikimedia-risk-calculator
mmartorana updated the task description for T366814: Implement the risk calculator and host in on toolforge .
Jun 6 2024, 3:20 PM · Security-Team, Security, wikimedia-risk-calculator
mmartorana added projects to T366814: Implement the risk calculator and host in on toolforge : Security, Security-Team.
Jun 6 2024, 3:19 PM · Security-Team, Security, wikimedia-risk-calculator
mmartorana moved T366814: Implement the risk calculator and host in on toolforge from Backlog to Completed on the wikimedia-risk-calculator board.
Jun 6 2024, 3:19 PM · Security-Team, Security, wikimedia-risk-calculator
mmartorana created T366814: Implement the risk calculator and host in on toolforge .
Jun 6 2024, 3:19 PM · Security-Team, Security, wikimedia-risk-calculator
mmartorana moved T352743: Test CVSS against SSVC theory from In Progress to Completed on the wikimedia-risk-calculator board.
Jun 6 2024, 3:18 PM · wikimedia-risk-calculator
mmartorana moved T351795: Create a security bug response playbook from In Progress to Completed on the wikimedia-risk-calculator board.
Jun 6 2024, 3:15 PM · wikimedia-risk-calculator
mmartorana moved T351794: Create a proposal for a WMF's relevant risk rating system based on CVSS from In Progress to Completed on the wikimedia-risk-calculator board.
Jun 6 2024, 3:15 PM · wikimedia-risk-calculator

Jun 4 2024

mmartorana added a comment to T361961: Security Review For reefjs (potentially used by Wikipedia Preview).
In T361961#9846406, @SBisson wrote:

@sbassett, @mmartorana any idea when this will be looked at? Thanks

Jun 4 2024, 10:06 AM · Inuka-Team, Wikipedia-Preview, secscrum, Application Security Reviews

May 28 2024

mmartorana claimed T366005: Remove docroot/wikimediafoundation.org/ folder from mediawiki-config.
May 28 2024, 4:17 PM · Infrastructure-Foundations, Patch-For-Review, SecTeam-Processed, Security-Team, Wikimedia-Apache-configuration, Security

May 27 2024

mmartorana updated the task description for T366005: Remove docroot/wikimediafoundation.org/ folder from mediawiki-config.
May 27 2024, 3:17 PM · Infrastructure-Foundations, Patch-For-Review, SecTeam-Processed, Security-Team, Wikimedia-Apache-configuration, Security
mmartorana created T366005: Remove docroot/wikimediafoundation.org/ folder from mediawiki-config.
May 27 2024, 3:16 PM · Infrastructure-Foundations, Patch-For-Review, SecTeam-Processed, Security-Team, Wikimedia-Apache-configuration, Security

May 20 2024

mmartorana closed T337949: Add security.txt to Wikimedia sites? (2023 edition) as Resolved.
May 20 2024, 4:31 PM · SecTeam-Processed, Documentation, Security-Team, Security, Wikimedia-Apache-configuration

May 9 2024

mmartorana added a comment to T363773: CVE-2024-40613: Evil regex used to process gadget definitions.

If anyone wants to write a patch with @Bawolff enhanced regex to address these issues, we would be pleased to review it and deploy it.

May 9 2024, 4:48 PM · Patch-For-Review, security-bug, SecTeam-Processed, MediaWiki-extensions-Gadgets, Vuln-DoS, Security, Security-Team

Apr 29 2024

mmartorana added a comment to T272297: User script on user subpage doesn't work after user rename.

Hey @stjn - I voted +1 on the gerrit change, as the proposed change appears to be secure in my opinion.

Apr 29 2024, 4:28 PM · SecTeam-Processed, Security-Team, Patch-For-Review, MediaWiki-extensions-CentralAuth, JavaScript, MediaWiki-User-rename, MediaWiki-General, Vuln-DoS

Apr 23 2024

mmartorana updated the task description for T360365: Application Security Review Request : New Plugins for Upcoming WMF & WEND Digital Annual Reports - WordPress.
Apr 23 2024, 3:26 PM · secscrum, Security, Application Security Reviews
mmartorana changed the status of T272297: User script on user subpage doesn't work after user rename from Open to In Progress.
Apr 23 2024, 2:34 PM · SecTeam-Processed, Security-Team, Patch-For-Review, MediaWiki-extensions-CentralAuth, JavaScript, MediaWiki-User-rename, MediaWiki-General, Vuln-DoS

Apr 9 2024

mmartorana added a comment to T361943: Decide on a Software Bill of Materials (SBOM) format for MediaWiki.

I lean towards CycloneDX because of its broader approach, it prioritizes the management of software components and dependencies rather than license/legal compliance, which is the primary focus of SPDX.

Apr 9 2024, 3:44 PM · SecTeam-Processed, Security-Team, Security

Apr 4 2024

mmartorana added a project to T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL: SecTeam-Processed.
Apr 4 2024, 2:27 PM · Patch-For-Review, SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team, CheckUser, Security
mmartorana removed projects from T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL: Patch-For-Review, Security-Team.
Apr 4 2024, 2:27 PM · Patch-For-Review, SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team, CheckUser, Security
mmartorana changed the status of T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL from Open to In Progress.
Apr 4 2024, 2:27 PM · Patch-For-Review, SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team, CheckUser, Security
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits