Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 873385 (CVE-2022-41765, CVE-2022-41766, CVE-2022-41767) - <www-apps/mediawiki-{1.37.6,1.38.4}: multiple vulnerabilities
Summary: <www-apps/mediawiki-{1.37.6,1.38.4}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-41765, CVE-2022-41766, CVE-2022-41767
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.wikimedia.org/hyperkitt...
Whiteboard: B4 [glsa+]
Keywords:
Depends on: 873775
Blocks:
  Show dependency tree
 
Reported: 2022-09-29 04:05 UTC by John Helmert III
Modified: 2023-05-21 19:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 04:05:27 UTC 
"Hi all,

On Thursday we will be issuing a security and maintenance release to all
supported branches of MediaWiki.

The new releases will be:

- 1.35.8
- 1.37.5
- 1.38.3"
Comment 1 Larry the Git Cow gentoo-dev 2022-09-30 03:40:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27a7cc9d97b1a12cf5c6e6464f2349d7c9823230

commit 27a7cc9d97b1a12cf5c6e6464f2349d7c9823230
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-09-30 03:40:14 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-09-30 03:40:14 +0000

    www-apps/mediawiki: bump to 1.37.6
    
    Bug: https://bugs.gentoo.org/868141
    Bug: https://bugs.gentoo.org/873385
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.37.6.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ebe28034a2a04865a9601f4b9356cbf4b211537

commit 5ebe28034a2a04865a9601f4b9356cbf4b211537
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-09-30 03:38:53 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-09-30 03:38:53 +0000

    www-apps/mediawiki: bump to 1.38.4
    
    Bug: https://bugs.gentoo.org/868141
    Bug: https://bugs.gentoo.org/873385
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.38.4.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 14:28:07 UTC 
Please stabilize when ready.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-20 21:55:24 UTC 
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-10-21 03:23:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6ab59d451c9aa99ccb4d49b27dab5b3a42e408f

commit f6ab59d451c9aa99ccb4d49b27dab5b3a42e408f
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-10-21 03:23:30 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-10-21 03:23:30 +0000

    www-apps/mediawiki: dropped obsolete & vulnerable 1.37.4 & 1.38.2
    
    Bug: https://bugs.gentoo.org/873385
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  2 -
 www-apps/mediawiki/mediawiki-1.37.4.ebuild | 86 ------------------------------
 www-apps/mediawiki/mediawiki-1.38.2.ebuild | 86 ------------------------------
 3 files changed, 174 deletions(-)
Comment 6 Miroslav Šulc gentoo-dev 2022-10-21 03:24:34 UTC 
the tree is clean now, you can proceed
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 14:29:39 UTC 
Thanks!
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-26 20:39:27 UTC 
GLSA request filed.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-26 20:42:51 UTC 
Two more CVEs that appear to be fixed in Gentoo with the versions in summary.

CVE-2022-41765 (https://phabricator.wikimedia.org/T309894):

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.

CVE-2022-41767 (https://phabricator.wikimedia.org/T316304):

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup.
Comment 10 Larry the Git Cow gentoo-dev 2023-05-21 19:52:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1

commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:43:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:29 +0000

    [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/815376
    Bug: https://bugs.gentoo.org/829302
    Bug: https://bugs.gentoo.org/836430
    Bug: https://bugs.gentoo.org/855965
    Bug: https://bugs.gentoo.org/873385
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-21 19:53:51 UTC 
GLSA released, all done!