Summary: | <www-apps/mediawiki-{1.36.3,1.37.1}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | fordfrog, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mediawiki.org/wiki/2021-12_security_release/FAQ | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 829303 | ||
Bug Blocks: |
Description
John Helmert III
![]() ![]() ![]() ![]() The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e81c7c466f2b013ac04c94c28436e919b9601de commit 4e81c7c466f2b013ac04c94c28436e919b9601de Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-12-16 07:55:59 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-12-16 07:55:59 +0000 www-apps/mediawiki: removed obsolete and vulnerable 1.36.2 Bug: https://bugs.gentoo.org/829302 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.36.2.ebuild | 86 ------------------------------ 2 files changed, 87 deletions(-) the tree is clean now, you can proceed. Thank you! GLSA request filed. Some more CVEs fixed in these versions. CVE-2021-44856 (https://phabricator.wikimedia.org/T271037): An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. CVE-2021-44854 (https://phabricator.wikimedia.org/T292763): An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis. CVE-2021-44855 (https://phabricator.wikimedia.org/T293589): An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1 commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-21 19:43:14 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-21 19:51:29 +0000 [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/815376 Bug: https://bugs.gentoo.org/829302 Bug: https://bugs.gentoo.org/836430 Bug: https://bugs.gentoo.org/855965 Bug: https://bugs.gentoo.org/873385 Bug: https://bugs.gentoo.org/888041 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) GLSA released, all done! |