| Summary: | <www-apps/mediawiki-{1.37.6,1.38.4}: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | minor | CC: | fordfrog, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TFITSCYKN54LQUO6JK2ON5GEVE7WHK65/ | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=868141 | ||
| Whiteboard: | B4 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 873775 | ||
| Bug Blocks: | |||
|
Description
John Helmert III
2022-09-29 04:05:27 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27a7cc9d97b1a12cf5c6e6464f2349d7c9823230 commit 27a7cc9d97b1a12cf5c6e6464f2349d7c9823230 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-09-30 03:40:14 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-09-30 03:40:14 +0000 www-apps/mediawiki: bump to 1.37.6 Bug: https://bugs.gentoo.org/868141 Bug: https://bugs.gentoo.org/873385 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 + www-apps/mediawiki/mediawiki-1.37.6.ebuild | 86 ++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ebe28034a2a04865a9601f4b9356cbf4b211537 commit 5ebe28034a2a04865a9601f4b9356cbf4b211537 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-09-30 03:38:53 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-09-30 03:38:53 +0000 www-apps/mediawiki: bump to 1.38.4 Bug: https://bugs.gentoo.org/868141 Bug: https://bugs.gentoo.org/873385 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 + www-apps/mediawiki/mediawiki-1.38.4.ebuild | 86 ++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) These are released: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/SPYFDCGZE7KJNO73ET7QVSUXMHXVRFTE/ 1.37.6 and 1.38.4 were bugfix releases released hours later: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/DMQKMFSH4K7KLBXWZTDBGI2PWLLHJHJZ/ Please stabilize when ready. Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6ab59d451c9aa99ccb4d49b27dab5b3a42e408f commit f6ab59d451c9aa99ccb4d49b27dab5b3a42e408f Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-10-21 03:23:30 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-10-21 03:23:30 +0000 www-apps/mediawiki: dropped obsolete & vulnerable 1.37.4 & 1.38.2 Bug: https://bugs.gentoo.org/873385 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 2 - www-apps/mediawiki/mediawiki-1.37.4.ebuild | 86 ------------------------------ www-apps/mediawiki/mediawiki-1.38.2.ebuild | 86 ------------------------------ 3 files changed, 174 deletions(-) the tree is clean now, you can proceed Thanks! GLSA request filed. Two more CVEs that appear to be fixed in Gentoo with the versions in summary. CVE-2022-41765 (https://phabricator.wikimedia.org/T309894): An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. CVE-2022-41767 (https://phabricator.wikimedia.org/T316304): An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup. |