In December 2021, I discovered CVE-2022-28201, which is that it's possible to get MediaWiki's Title::newMainPage() to go into infinite recursion. More specifically, if the local interwikis feature is configured (not used by default, but enabled on Wikimedia wikis), any on-wiki administrator could fully brick the wiki by editing the [[MediaWiki:Mainpage]]…
Today's #MediaWiki security release fixes a pretty bad wiki-leak: https://w.wiki/4ZAeThere's a pretty simple mitigation that can be applied via configuration in LocalSettings.php if you can't patch immediately.Fixes are out for Debian packages, the "official" Docker image, and should land in my Ubuntu PPA for focal/bionic shortly...
You're seeing the world through a web browser; what does it see about you? As part of my work on the Freedom of the Press Foundation's Digital Security Team, I updated our guide comparing the privacy and security features of popular browsers in 2020.https://freedom.press/training/-depth-guide-choosing-web-browser/
For the past 5ish years, I've been working on a project called libraryupgrader (LibUp for short) to semi-automatically upgrade dependency libraries in the 900+ MediaWiki extension and related git repositories. For those that use GitHub, it's similar to the new dependabot tool, except LibUp is free software. One cool feature…
My first CVE: CVE-2015-8007!
