This tag is used to group security bugs by their general classification. If a vulnerable component is exploited, such bugs allow a range of attacks. See OWASP Top 10 2017 - A9
Parent project: Security-Team
Details
Details
Description
Thu, Nov 7
Thu, Nov 7
Nikerabbit removed projects from T309772: npm audit reports several security issues with Service runner: LPL Essential (LPL Essential 2024 Jul-Oct), CX-cxserver.
Removing CXserver and sprint tags as it no longer applies to us.
Thu, Oct 31
Thu, Oct 31
santhosh added a comment to T309772: npm audit reports several security issues with Service runner.
CXServer removed the dependency on service-runner T357950: Remove servicerunner dependency for cxserver and deployed to production last week. Since service-runner and the associated service template had huge influence on how a nodejs servie is written, it was not an easy migration. This was also partly due to the fact that cxserver was written in 2015 and then grew to a complex system.
Sep 12 2024
Sep 12 2024
sbassett set Author Affiliation to tech on T374588: GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7 .
sbassett edited projects for T374588: GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7 , added: Vuln-VulnComponent, SecTeam-Processed; removed Security-Team.
Sep 5 2024
Sep 5 2024
Yaron_Koren closed T370022: Version `4.3.5` of `smarty/smarty` library in Extension:Widgets library has CVE-2024-35226 as Resolved.
I think this can be closed.
Aug 22 2024
Aug 22 2024
sbassett raised the priority of T373124: update ingress-nginx for CVE-2024-7646 from Medium to High.
sbassett edited projects for T373124: update ingress-nginx for CVE-2024-7646, added: SecTeam-Processed, Vuln-VulnComponent; removed Security-Team.
Aug 20 2024
Aug 20 2024
Aug 19 2024
Aug 19 2024
Aklapper added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
See the previous three comments
Mstyles added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
@Aklapper are you okay to resolve this ticket?
Aug 15 2024
Aug 15 2024
sbassett moved T371569: SMTP smuggling vulnerability report from Watching to Our Part Is Done on the Security-Team board.
sbassett changed the visibility for T371569: SMTP smuggling vulnerability report.
Aug 13 2024
Aug 13 2024
brennen added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
If this has bitten us anywhere else, I'm not aware of it. I think it seems fine to resolve at this stage.
Dzahn added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
modules/profile/templates/idp/client/httpd-puppetboard-ng.erb is for https://puppetboard.wikimedia.org
Aklapper moved T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F from To Triage to Infrastructure on the Phabricator board.
Aklapper added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
I'm tempted to resolve this task tagged with Phabricator and create a separate one for MediaWiki-Vagrant (is the modules/profile/templates/idp/client/httpd-puppetboard-ng.erb result in Puppet relevant?) because I dislike fixed issues displayed as unresolved tasks in my backlog. Eh?
Aug 12 2024
Aug 12 2024
jhathaway added a comment to T371569: SMTP smuggling vulnerability report.
Would that be the extent of our exposure to this issue, in your estimation? e.g. is the above good enough to resolve this task? We'd need to defer to you and SRE on that assessment.
Aug 8 2024
Aug 8 2024
sbassett set Author Affiliation to tech on T372026: GitLab Security Release: 17.2.2, 17.1.4, 17.0.6.
sbassett edited projects for T372026: GitLab Security Release: 17.2.2, 17.1.4, 17.0.6, added: SecTeam-Processed, Vuln-VulnComponent; removed Security-Team.
Aug 7 2024
Aug 7 2024
sbassett set Author Affiliation to tech on T370973: GitLab Security Release 17.2.1, 17.1.3, 17.0.5.
sbassett set Author Affiliation to tech on T371953: GitLab Security Release: GitLab Patch Release: 17.2.1, 17.1.3, 17.0.5 .
sbassett edited projects for T371953: GitLab Security Release: GitLab Patch Release: 17.2.1, 17.1.3, 17.0.5 , added: SecTeam-Processed, Vuln-VulnComponent; removed Security-Team.
Aug 5 2024
Aug 5 2024
sbassett moved T371569: SMTP smuggling vulnerability report from Incoming to Watching on the Security-Team board.
Aug 2 2024
Aug 2 2024
sbassett added a comment to T371569: SMTP smuggling vulnerability report.
Aug 1 2024
Aug 1 2024
jhathaway added a comment to T371569: SMTP smuggling vulnerability report.
Our postfix servers have now been configured with the "long term fix", T370011, https://www.postfix.org/smtp-smuggling.html#back-ports
Jul 31 2024
Jul 31 2024
sbassett added projects to T371569: SMTP smuggling vulnerability report: Infrastructure-Foundations, Vuln-VulnComponent.
sbassett updated subscribers of T371569: SMTP smuggling vulnerability report.
Jul 26 2024
Jul 26 2024
brennen added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
Doesn't look like a lot else in codesearch, at least - a couple in MediaWiki-Vagrant:
Jelto updated the task description for T370973: GitLab Security Release 17.2.1, 17.1.3, 17.0.5.
Jul 25 2024
Jul 25 2024
eoghan updated the task description for T370973: GitLab Security Release 17.2.1, 17.1.3, 17.0.5.
eoghan updated the task description for T370973: GitLab Security Release 17.2.1, 17.1.3, 17.0.5.
sbassett edited projects for T370973: GitLab Security Release 17.2.1, 17.1.3, 17.0.5, added: SecTeam-Processed, Vuln-VulnComponent; removed Security-Team.
Jul 24 2024
Jul 24 2024
hashar added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
Jul 23 2024
Jul 23 2024
Maintenance_bot removed a project from T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F: Patch-For-Review.
Dzahn added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
gerritbot added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
Change #1056207 merged by Dzahn:
[operations/puppet@production] phorge: add UnsafeAllow3F rewrite flag
gerritbot added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
Change #1056207 had a related patch set uploaded (by Dzahn; author: Dzahn):
[operations/puppet@production] phorge: add UnsafeAllow3F rewrite flag
hashar added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
Is the B flag the reason the issue triggers? From what I understand it encodes the requested URI before it is processed and surely any legit ones having a question mark will end up triggering it. Maybe the upstream code should have exempted those cases, then I don't understand the attack vector :-/ What I am wondering is what is the sufficient condition to trigger the error so that we can audit all of our RewriteRule.
Jul 22 2024
Jul 22 2024
Aklapper added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
Upstreamed as https://we.phorge.it/T15889
Mstyles changed the visibility for T370022: Version `4.3.5` of `smarty/smarty` library in Extension:Widgets library has CVE-2024-35226.
Mstyles added a comment to T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F.
@Aklapper since the gerrit patch is public this ticket is okay to be public as well. I went ahead and changed the policy
sbassett edited projects for T370110: Apache 2.4.61 throws a 403 Forbidden for links containing %3F, added: Vuln-VulnComponent; removed Vuln-Misconfiguration.