Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 920504

Summary: <www-apps/mediawiki-{1.39.6,1.40.2}: group-.*-member messages are not properly escaped on Special:log/rights
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: fordfrog, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52/
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 920511    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-22 00:23:42 UTC 
Reproduction instructions for the XSS are included in the original bug report: https://phabricator.wikimedia.org/T347726

Fixes are in 1.39.6 and 1.40.2 according to URL, please stabilize.
Comment 1 Larry the Git Cow gentoo-dev 2023-12-22 10:02:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1c7587e5cde9b327dca8945dd1e0f445598aff0

commit b1c7587e5cde9b327dca8945dd1e0f445598aff0
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-12-22 10:02:18 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-12-22 10:02:36 +0000

    www-apps/mediawiki: dropped obsolete and vulnerable 1.39.5 & 1.40.1
    
    Bug: https://bugs.gentoo.org/920511
    Bug: https://bugs.gentoo.org/920504
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  2 -
 www-apps/mediawiki/mediawiki-1.39.5.ebuild | 90 -----------------------------
 www-apps/mediawiki/mediawiki-1.40.1.ebuild | 92 ------------------------------
 3 files changed, 184 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2023-12-22 10:03:39 UTC 
the tree is clean now, you can proceed.