From URL: "== Security fixes == * (T248947) img_auth.php may leak private extension images into the public cache. CVE-2020-15005"
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0362678f4136aef42b976cc25405a2036147ecad commit 0362678f4136aef42b976cc25405a2036147ecad Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-06-25 07:47:49 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-06-25 07:48:10 +0000 www-apps/mediawiki: bump to 1.34.2 1) REQUIRED_USE for databases + default database in USE flags + updated database related deps 2) removing binary distributions of lua in Scribunto 3) updated installed docs Bug: https://bugs.gentoo.org/729480 Closes: https://bugs.gentoo.org/716782 Closes: https://bugs.gentoo.org/728568 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 + www-apps/mediawiki/mediawiki-1.34.2.ebuild | 86 ++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+)
Thank you! Please tell us when ready to stable.
imo it can go stable.
(In reply to Miroslav Šulc from comment #3) > imo it can go stable. Thank you for the quick response! :)
CVE-2020-12051: The CentralAuth extension through REL1_34 for MediaWiki allows remote attackers to obtain sensitive hidden account information via an api.php?action=query&meta=globaluserinfo&guiuser= request. In other words, the information can be retrieved via the action API even though access would be denied when simply visiting wiki/Special:CentralAuth in a web browser. According to email announcement this appears to also be fixed in the 1.34 branch in 1.34.2: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-June/000254.html
amd64 stable
ppc stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9443e690c0dd880eadc408072fb9520ef032757c commit 9443e690c0dd880eadc408072fb9520ef032757c Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-06-29 04:59:06 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-06-29 04:59:06 +0000 www-apps/mediawiki: removed vulnerable 1.34.1 Bug: https://bugs.gentoo.org/729480 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.34.1.ebuild | 79 ------------------------------ 2 files changed, 80 deletions(-)