-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Everyone.
This is an advisory that the SimpleSecurity extension has unfixed security issues, and that people relying on it should consider moving to a different solution. The extension does not take caching into consideration, and is not secure when $wgMainCacheType is something other than CACHE_NONE. We received a bug report about this quite a long time ago, however it appears nobody is maintaining the extension, and we were unable to find anyone to forward the report to who was interested in fixing the issue. So instead we are making the issue public and issuing this warning about it. The issue in question is https://phabricator.wikimedia.org/T48843 The extension in question is https://www.mediawiki.org/wiki/Extension:SimpleSecurity Sincerely, Brian Wolff Wikimedia Security Team P.S. This is the first time I've ever written a warning like this for an extension. In the past, we've just put security alerts on the extension page or sometimes just ignored them (which I consider bad). I would like feedback from mediawiki-l if people on this list appreciate getting a notice like this, or if you folks consider it off topic. Any other feedback about how we handle security issues reported to us for extensions we do not make or maintain is also appreciated. -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJZbtGsAAoJEDYflDsVwI3UGHIQAIWbmd1+xvbnCXLEV1gq1ZMm 3aAANm1SX8jbhanY93a28YnUyFULCuehlzrXTonZBvPy59W8GbOB5qW4Px1CHzRJ hPewsxTObfnxEW5+JzSH9o4ApZgAjgGvBZP0fQTRgmZdiWGj+HM9m0vmP90lodzM aCein3yneJVapNo2aONiQp1rVELJTWKqlRt0Wuraa8fUjPKfLydk0mfDfObejMYV DUBuMWyif51m2EXZV1TisR4P3VzvyF3RNQXX4iKbVj+KOkI6+SLhGzrH/wFL3kE9 bCr5EQa6beRIs7sNCItvd+efFhATqxNZUi8WjDc3reylEKI4FMj+1NMHZYr4Mo7A jO6KAoAWPUJtHu5v4Cqf2+YTT7zzqndPHZVdkp2PsfNs2ImmDHBCxdDGBfU/WkcA 2dsgnpqUmTeKsYnpwR1rH+/ZFkCGNhHqXRF9JrSYiqzE6K1BzTJo/nHIarEaL/TT 5R0JxP4WErZfBz7Ef7kTkp+hGPovH6Kdu7Fqu08VdgL+BIZomWDYpRmt1IfW5aET fKUOUK4u84EQkv7Y8ue9RINB4tgodZr2hNXDjQBZVHun4IpNUJDyji136YYe23oe ngPbwpXzQgJFwOkhzGEgslns1iIxITmc1dl8wuKisajT1XIhflNNOWEG0DlBqKbS 37gjoPxhoDjpIhD9ZgzS =etRb -----END PGP SIGNATURE----- _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
