Hello Everyone,
Today it was identified that the Graph extension [1], which uses the older
Vega 1 & Vega 2 libraries, had a number of security vulnerabilities.
In the interest of the security of our users, the Graph extension was
disabled on Wikimedia wiki's. We know that this is disruptive for editors
and readers, and WMF teams are working quickly on a plan to respond to
these vulnerabilities.
We recommend that any other third party users of the Graph extension should
disable the use of that extension on their wikis.
A configuration change will suppress the exposed raw tags and graph json
definition to avoid excess disruption to the end user experience when the
extension is disabled. [2] This also provides a tracking category
"Category:Pages with disabled graphs" showing the pages that used to
contain graphs. Local administrators can localise the name of the category
and its description by editing [[MediaWiki:Graph-disabled-category]],
[[MediaWiki:Graph-disabled-category-desc]] interface messages on your local
wiki.
On Wikimedia projects, graphs created via the extension will remain
unavailable. This means that pages that were formerly displaying graphs
will now display a small blank area. To help readers understand this
situation, communities can now define a brief message that can be displayed
to readers in place of each graph until this is resolved. That message can
be defined on each wiki at [[MediaWiki:Graph-disabled]] by local
administrators.
Wikimedia Foundation staff are looking at options available and expected
timelines. For updates on this topic, follow the public Phabricator task
for this issue: https://phabricator.wikimedia.org/T334940
We are seeking translation to be able to distribute a massmessage about
this to various language wikis tomorrow. Please help us translate here:
https://meta.wikimedia.org/wiki/User:Seddon_(WMF)/Graph_massmessage
Thank you,
Seddon
[1] https://www.mediawiki.org/wiki/Extension:Graph
[2]
https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/refs/heads/master/wmf-config/CommonSettings.php#3694
Seddon (he/him they/them)
*Engineering Manager*
*Wikimedia Foundation*
Today it was identified that the Graph extension [1], which uses the older
Vega 1 & Vega 2 libraries, had a number of security vulnerabilities.
In the interest of the security of our users, the Graph extension was
disabled on Wikimedia wiki's. We know that this is disruptive for editors
and readers, and WMF teams are working quickly on a plan to respond to
these vulnerabilities.
We recommend that any other third party users of the Graph extension should
disable the use of that extension on their wikis.
A configuration change will suppress the exposed raw tags and graph json
definition to avoid excess disruption to the end user experience when the
extension is disabled. [2] This also provides a tracking category
"Category:Pages with disabled graphs" showing the pages that used to
contain graphs. Local administrators can localise the name of the category
and its description by editing [[MediaWiki:Graph-disabled-category]],
[[MediaWiki:Graph-disabled-category-desc]] interface messages on your local
wiki.
On Wikimedia projects, graphs created via the extension will remain
unavailable. This means that pages that were formerly displaying graphs
will now display a small blank area. To help readers understand this
situation, communities can now define a brief message that can be displayed
to readers in place of each graph until this is resolved. That message can
be defined on each wiki at [[MediaWiki:Graph-disabled]] by local
administrators.
Wikimedia Foundation staff are looking at options available and expected
timelines. For updates on this topic, follow the public Phabricator task
for this issue: https://phabricator.wikimedia.org/T334940
We are seeking translation to be able to distribute a massmessage about
this to various language wikis tomorrow. Please help us translate here:
https://meta.wikimedia.org/wiki/User:Seddon_(WMF)/Graph_massmessage
Thank you,
Seddon
[1] https://www.mediawiki.org/wiki/Extension:Graph
[2]
https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/refs/heads/master/wmf-config/CommonSettings.php#3694
Seddon (he/him they/them)
*Engineering Manager*
*Wikimedia Foundation*