Summary: | <www-apps/mediawiki-{1.39.5,1.40.1}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | fordfrog, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2023-10-30 00:09:30 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=685a494536d37c47f4b8eade997d9dcb1b277016 commit 685a494536d37c47f4b8eade997d9dcb1b277016 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2023-10-30 08:10:37 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-10-30 08:10:37 +0000 www-apps/mediawiki: dropped obsolete 1.39.4-r1 & 1.40.0-r1 Bug: https://bugs.gentoo.org/916517 Bug: https://bugs.gentoo.org/916472 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 2 - www-apps/mediawiki/mediawiki-1.39.4-r1.ebuild | 90 -------------------------- www-apps/mediawiki/mediawiki-1.40.0-r1.ebuild | 92 --------------------------- 3 files changed, 184 deletions(-) the latest versions are stable now and the tree is clean now, you can proceed. > * (T264765, CVE-2023-PENDING) SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission. This is CVE-2023-45364. > * (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion. CVE-2023-45363. > * (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS. > * (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title. These two are still private in upstream's phabricator. > * (T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. CVE-2023-45360. > * (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. CVE-2023-45362. |