Some comments.
Done a minor change but this was never a security issue.
Okay, can access - but can't use.
I have locked down sql.php on mw* by chown root:root sql.php and chmod 0400 sql.php.
We have changed it to root only for now, but mw-admins should still be able to use sql.php so we should find another solution.
tables can also be created.
Dropping of course does not work, but accessing any db that is not meant for mw-admins (such as phabricator_*, icinga, etc.) can be done via the SQL.php prompt
All hosts updated now.
2.17.1 is now able to be downloaded just upgraded misc1.
I updated my git's earlier today with homebrew without realising it was security update.
I did salt -E ".*" cmd.run "apt-get -t stretch-backports install git -y" which installed git 2.17.0 but 2.17.1 is shown on https://packages.debian.org/stretch-backports/git but it's not installing with apt-get -t stretch-backports install git -y. I did do a apt-get update to make sure and still dosen't install 2.17.1
I'm going to close this as invalid because;
“checking all services that we have to make sure they are documented” this has been something we’ve been trying to do since July 2015 I swear
Legal is different to security.
I'm pretty sure security is valid since this is dealing with legal stuff in europe.
Cc @labster wondering do you have any opinion on this? :)
Maybe UBN?
We need to get this to work by not auto logging into the wiki's, but we carn't seem to get it working.
What's to be done here?
3 months for a security task is quite poor now as a FYI for people here.
The Wikimedia Foundation have decided that they will outsource there pdf efforts (ie they will not be hosting it now). They have an agreement with pediapress to host the pdfs for them.
@Reception123 @labster I'm pretty sure Security is valid because there were mentioned concerns about outsourcing anything related to the content of private wikis.
@MacFan4000 Why "Security"?
@Southparkfan because it made logins on all custom domains impossible.
Why was this change reverted? This auto-login vector is a security vulnerability (since the custom domains are not under our control) and DoS vector (one auto-login generates more than 250 web requests in just a few seconds. It's impossible to handle those with just 12 virtual cores!).
@John Ok
@Reception123 fyi you shouldn't have moved this to S2 but changed the policy to allow only Security+me (because I made this task and I could have looked into this way way earlier).
FYI, this may also be the cause of >95% of the 503 errors.
This is still a concern, as any malicious user could in theory still do this.
In T2674#50383, @Southparkfan wrote:For security reasons it may be better to disable this feature for all domains not in staff control.
For security reasons it may be better to disable this feature for all domains not in staff control.
Seems to be good now.
Committed b0517d9a309290bbd00aad2bf5f470d663665923, please verify.
ACK