Summary: | <www-apps/mediawiki-{1.37.6,1.38.4}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | fordfrog, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TFITSCYKN54LQUO6JK2ON5GEVE7WHK65/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=868141 | ||
Whiteboard: | B4 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 873775 | ||
Bug Blocks: |
Description
John Helmert III
2022-09-29 04:05:27 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27a7cc9d97b1a12cf5c6e6464f2349d7c9823230 commit 27a7cc9d97b1a12cf5c6e6464f2349d7c9823230 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-09-30 03:40:14 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-09-30 03:40:14 +0000 www-apps/mediawiki: bump to 1.37.6 Bug: https://bugs.gentoo.org/868141 Bug: https://bugs.gentoo.org/873385 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 + www-apps/mediawiki/mediawiki-1.37.6.ebuild | 86 ++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ebe28034a2a04865a9601f4b9356cbf4b211537 commit 5ebe28034a2a04865a9601f4b9356cbf4b211537 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-09-30 03:38:53 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-09-30 03:38:53 +0000 www-apps/mediawiki: bump to 1.38.4 Bug: https://bugs.gentoo.org/868141 Bug: https://bugs.gentoo.org/873385 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 + www-apps/mediawiki/mediawiki-1.38.4.ebuild | 86 ++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) These are released: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/SPYFDCGZE7KJNO73ET7QVSUXMHXVRFTE/ 1.37.6 and 1.38.4 were bugfix releases released hours later: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/DMQKMFSH4K7KLBXWZTDBGI2PWLLHJHJZ/ Please stabilize when ready. Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6ab59d451c9aa99ccb4d49b27dab5b3a42e408f commit f6ab59d451c9aa99ccb4d49b27dab5b3a42e408f Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-10-21 03:23:30 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-10-21 03:23:30 +0000 www-apps/mediawiki: dropped obsolete & vulnerable 1.37.4 & 1.38.2 Bug: https://bugs.gentoo.org/873385 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 2 - www-apps/mediawiki/mediawiki-1.37.4.ebuild | 86 ------------------------------ www-apps/mediawiki/mediawiki-1.38.2.ebuild | 86 ------------------------------ 3 files changed, 174 deletions(-) the tree is clean now, you can proceed Thanks! GLSA request filed. Two more CVEs that appear to be fixed in Gentoo with the versions in summary. CVE-2022-41765 (https://phabricator.wikimedia.org/T309894): An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. CVE-2022-41767 (https://phabricator.wikimedia.org/T316304): An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1 commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-21 19:43:14 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-21 19:51:29 +0000 [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/815376 Bug: https://bugs.gentoo.org/829302 Bug: https://bugs.gentoo.org/836430 Bug: https://bugs.gentoo.org/855965 Bug: https://bugs.gentoo.org/873385 Bug: https://bugs.gentoo.org/888041 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) GLSA released, all done! |