Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 760414 (CVE-2020-35474, CVE-2020-35475, CVE-2020-35477, CVE-2020-35478, CVE-2020-35480)

Summary: <www-apps/mediawiki-1.35.1: multiple vulnerabilities (CVE-2020-{35474,35475,35477,35478,35480})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fordfrog, web-apps
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000267.html
Whiteboard: B4 [noglsa]
Package list:
www-apps/mediawiki-1.35.1
 Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-17 03:43:22 UTC 
From $URL:

Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.

The new releases will be:

- 1.31.11
- 1.35.1

This will resolve 5 issues in MediaWiki core (1 of which isn't applicable
to MediaWiki 1.31 at all), and also includes some fixes previously
committed to git, including minor security and hardening patches along with
bug fixes included for maintenance reasons.


(Tomorrow is 20201216)
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-17 23:52:18 UTC 
1.31.11 and 1.35.1 are released:

* (T268894, CVE-2020-35474) SECURITY: Message recentchanges-legend-watchlistexpiry can contain raw html.
* (T268917, CVE-2020-35475) SECURITY: Messages userrights-expiry-current and userrights-expiry-none can contain raw html.
* (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: BlockLogFormatter can output raw html.
* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage.
* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users.


Please bump to 1.35.1.
Comment 2 Larry the Git Cow gentoo-dev 2020-12-18 10:47:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eca29da12d5a6f6a26c84e7272e12f680b23d42f

commit eca29da12d5a6f6a26c84e7272e12f680b23d42f
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-12-18 10:47:04 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-12-18 10:47:04 +0000

    www-apps/mediawiki: bump to 1.35.1
    
    Bug: https://bugs.gentoo.org/760414
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.35.1.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 3 Miroslav Šulc gentoo-dev 2020-12-18 11:15:16 UTC 
feel free to request package stabilization if needed
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-18 18:31:17 UTC 
(In reply to Miroslav Šulc from comment #3)
> feel free to request package stabilization if needed

Thanks!
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 14:27:08 UTC 
amd64 done
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-20 16:31:16 UTC 
x86 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 05:27:22 UTC 
ppc done

all arches done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 05:30:37 UTC 
Please cleanup, thanks!
Comment 9 Larry the Git Cow gentoo-dev 2020-12-22 13:17:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55a85ea6c92ee7ecacad8d85096e5896c6554860

commit 55a85ea6c92ee7ecacad8d85096e5896c6554860
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-12-22 13:17:16 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-12-22 13:17:16 +0000

    www-apps/mediawiki: removed obsolete & vulnerable 1.35.0
    
    Bug: https://bugs.gentoo.org/760414
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.35.0.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 10 Miroslav Šulc gentoo-dev 2020-12-22 13:17:47 UTC 
the cree is clean now, you can proceed
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 19:07:29 UTC 
(In reply to Miroslav Šulc from comment #10)
> the cree is clean now, you can proceed

Thanks! All done.