Bug 815376 (CVE-2021-41798, CVE-2021-41799, CVE-2021-41800)

Summary:	<www-apps/mediawiki-1.36.2: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	fordfrog, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	815640
Bug Blocks:

Description John Helmert III archtester

2021-09-29 17:03:21 UTC

From URL:

Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.

The new releases will be:

- 1.31.16
- 1.35.4
- 1.36.2

This will resolve 3 issues in MediaWiki core and also includes some fixes
previously committed to git, including minor security and hardening patches
along with bug fixes included for maintenance reasons.

Comment 1 John Helmert III archtester

2021-09-30 18:30:21 UTC

Please bump to 1.36.2.

Comment 2 Larry the Git Cow gentoo-dev

2021-10-01 12:00:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d4e80120420a01be97bf7366bfd6805a37272f1

commit 3d4e80120420a01be97bf7366bfd6805a37272f1
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-10-01 12:00:15 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-10-01 12:00:30 +0000

    www-apps/mediawiki: bump to 1.36.2
    
    Bug: https://bugs.gentoo.org/815376
    Package-Manager: Portage-3.0.26, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.36.2.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2021-10-02 07:32:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8773d06fa788fcfa6f0f4210c17f98351ff37007

commit 8773d06fa788fcfa6f0f4210c17f98351ff37007
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-10-02 07:31:46 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-10-02 07:31:46 +0000

    www-apps/mediawiki: removed vulnerable 1.36.1
    
    Bug: https://bugs.gentoo.org/815376
    Package-Manager: Portage-3.0.26, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.36.1.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)

Comment 4 Miroslav Šulc gentoo-dev

2021-10-02 07:32:35 UTC

the tree is clean now, you can proceed.

Comment 5 John Helmert III archtester

2021-10-02 13:11:55 UTC

Thanks!

Comment 6 John Helmert III archtester

2022-12-26 20:39:54 UTC

GLSA request filed.

Comment 7 Larry the Git Cow gentoo-dev

2023-05-21 19:52:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1

commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:43:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:29 +0000

    [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/815376
    Bug: https://bugs.gentoo.org/829302
    Bug: https://bugs.gentoo.org/836430
    Bug: https://bugs.gentoo.org/855965
    Bug: https://bugs.gentoo.org/873385
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

Comment 8 John Helmert III archtester

2023-05-21 19:53:32 UTC

GLSA released, all done!