SRE Vacancy: Software Engineer (Developer) (MediaWiki)
Miraheze is looking for Software Engineers to join our MediaWiki Team to develop code to improve the user experience of Miraheze users, build tools that allow communities to grow, and tools that support our valuable volunteers in managing a dynamic and active global community. If you think this could be you, please do have a look at the Vacancies page which includes further information. Reception123 (talk) (C) 07:09, 31 January 2023 (UTC)
Due to a severe security vulnerability with Cargo which has been acknowledged upstream (Wikimedia Phabricator ticket currently private), the extension has been disabled on all wikis. We deeply apologize for the inconvenience but we hope this issue is resolved soon.
While there is absolutely no indication that the security vulnerabilities discovered in Cargo were exploited on Miraheze, out of a great abundance of caution, all user sessions have been reset. This means all users were logged out and must log back in again. As a general internet safety reminder, please do not reuse passwords between services and make sure to regularly change your password to a strong, unique one. Agent Isai Talk to me! 03:52, 5 April 2023 (UTC)
We plan on isolating Cargo to its own database going forward. Wikis that opt-in to Cargo will have their own database for Cargo data separate from the wiki database. Void has done a lot of work on this (https://github.com/miraheze/mw-config/pull/5182, https://github.com/miraheze/MirahezeMagic/pull/413, https://github.com/miraheze/puppet/commit/241009f1d77c4935621aae016ae0757bac246b83), though there are still some details left to flesh out. This will be useful if similar vulnerabilities are ever discovered again on Cargo. Unfortunately, we still do not have an ETA on when Cargo will be re-enabled. OrangeStar (talk) 11:06, 14 April 2023 (UTC)
- Cargo has been re-enabled following some steps to make it more secure in our setup. If you experience any problems with cargo, please open a bug report on Phabricator. If you become aware of any security concern regarding the extension (or any of our other extensions for that matter) please email securitymiraheze.org with as many details as possible, or file a security task on Phabricator using this form. -- Void Whispers 23:16, 16 April 2023 (UTC)
Cloud11 and Swift issues
Due to a disk issue on cloud11 (where Swift servers are located), files are currently not displaying properly and uploads are not possible. More information will be provided when available. Reception123 (talk) (C) 13:15, 11 April 2023 (UTC)
- Adding to the above, while the servers which actually hold image files are unaffected, the server that verifies that users have the proper permissions to view files and which directs traffic is down. This means that requests for images might return errors such as "Unauthorized. You do not have permission to view this file." and such. We are working to correct the issue but have no ETA at the moment for when this will be fixed. Agent Isai Talk to me! 00:36, 12 April 2023 (UTC)
- An update to the above. We're still working on recovering the data from the affected cloud server. We have been able to successfully access some data but we must now reinstall the cloud server to continue working on recovery. We hope to do the reinstall either today or tomorrow. Agent Isai Talk to me! 17:36, 15 April 2023 (UTC)
This is now solved. SRE's infrastructure team reinstalled the faulty servers today, and images have come back online for almost all wikis. If you are experiencing problems related to images/files still, please create a ticket on Phabricator. OrangeStar (talk) 19:51, 16 April 2023 (UTC)
Graph has been disabled on all wikis due to a very severe security bug which caused it to be disabled on all Wikimedia wikis earlier today. Please see Wikimedia Phabricator task T334940 for more information. We hope that this issue is fixed soon. Agent Isai Talk to me! 01:13, 19 April 2023 (UTC)
- Local issue is https://phabricator.miraheze.org/T10756. In the meantime you can take the code between the <graph> tags and paste it into https://vega.github.io/vega-editor/?mode=vega to generate PNG or SVG replacements. Psephomancy (talk) 20:35, 11 November 2023 (UTC)
- We have resolved the issue. File uploads, deletions, and import requests have been reenabled. Thank you for bearing with us and apologize for the inconvenience caused. Paladox (talk) 15:11, 22 June 2023 (UTC)
An update on the criminal investigation into recent DDoS attacks
I'd like to provide an update to the community on the denial of service attacks we experienced last month.
Following an investigation by Nottinghamshire Police, they have identified a person of interest in the USA and the matter has been passed to authorities there to investigate.
We'd like to thank Nottinghamshire Police for their support and those within the community who provided evidence to us or the National Fraud Intelligence Bureau.
Miraheze will not tolerate abuse of its services and those who are involved face having their access terminated or limited as well as prosecution where enough evidence exists.
We'd also like to take this opportunity to remind those in the UK that they can and should report cyber crime and fraud via https://actionfraud.police.uk
Any users who wish to find out more information about the laws and consequences surrounding cyber crime can visit https://www.nationalcrimeagency.gov.uk/cyber-choices