Summary: | <www-apps/mediawiki-1.35.2: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | fordfrog, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-04-06 17:56:40 UTC
afaics 1.35.2 is not released yet: https://www.mediawiki.org/wiki/Download Ah, my bad. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00a3f5e0f74e5975eca1bcc9f63e2db81a1b5548 commit 00a3f5e0f74e5975eca1bcc9f63e2db81a1b5548 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-09 12:05:37 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-09 12:06:05 +0000 www-apps/mediawiki: security bump to 1.35.2 Bug: https://bugs.gentoo.org/780654 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 + www-apps/mediawiki/mediawiki-1.35.2.ebuild | 86 ++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) it should be safe to stabilize Thanks! From the changelog: (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access Special:ResetTokens. (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages on Special:NewFiles. (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on ChangesList pages. (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they have right to do so via action=protect. (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast double move. (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user cancreate pages. (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags. amd64 ppc x86 (ALLARCHES) done all arches done Thanks! Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8bf368b3924eb7962008fdd12ea7d3873fda32e commit c8bf368b3924eb7962008fdd12ea7d3873fda32e Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-10 04:43:35 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-10 04:43:35 +0000 www-apps/mediawiki: removed old and vulnerable 1.35.1 Bug: https://bugs.gentoo.org/780654 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.35.1.ebuild | 86 ------------------------------ 2 files changed, 87 deletions(-) we're clean now, you can proceed. (In reply to Miroslav Šulc from comment #9) > we're clean now, you can proceed. Thanks! GLSA request filed. This issue was resolved and addressed in GLSA 202107-40 at https://security.gentoo.org/glsa/202107-40 by GLSA coordinator John Helmert III (ajak). |