Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 797661 (CVE-2021-35197) - <www-apps/mediawiki-1.36.1: allows blocked users to purge pages (CVE-2021-35197)
Summary: <www-apps/mediawiki-1.36.1: allows blocked users to purge pages (CVE-2021-35197)
Status: RESOLVED FIXED
Alias: CVE-2021-35197
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.wikimedia.org/hyperkitt...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-22 22:29 UTC by John Helmert III
Modified: 2021-07-19 01:43 UTC (History)
2 users (show)

See Also:
Package list:
www-apps/mediawiki-1.36.1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-06-22 22:29:50 UTC
From URL:

Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.

The new releases will be:

- 1.31.15
- 1.35.3
- 1.36.1

This will resolve 1 minor issue in MediaWiki core and also includes some
fixes previously committed to git, including minor security and hardening
patches along with bug fixes included for maintenance reasons.
Comment 1 John Helmert III gentoo-dev Security 2021-06-23 16:26:14 UTC
Releases have been released:

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/

* (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging
pages.

Please bump.
Comment 2 Larry the Git Cow gentoo-dev 2021-06-23 16:30:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4755537bbe8955c4228f76fe5a3e62835761d51

commit e4755537bbe8955c4228f76fe5a3e62835761d51
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-06-23 16:30:37 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-06-23 16:30:37 +0000

    www-apps/mediawiki: bump to 1.36.1, dropped vulnerable 1.36.0
    
    Bug: https://bugs.gentoo.org/797661
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                                             | 2 +-
 www-apps/mediawiki/{mediawiki-1.36.0.ebuild => mediawiki-1.36.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 3 Miroslav Šulc gentoo-dev 2021-06-23 16:32:02 UTC
should be safe to stabilize.
Comment 4 Agostino Sarubbo gentoo-dev 2021-06-24 04:27:21 UTC
ALLARCHES stable. Closing.
Comment 5 Larry the Git Cow gentoo-dev 2021-06-24 07:52:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d5824b5bde90c1ad15875968c7a58c10919d4e2

commit 4d5824b5bde90c1ad15875968c7a58c10919d4e2
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-06-24 07:52:13 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-06-24 07:52:53 +0000

    www-apps/mediawiki: removed obsolete 1.35.2
    
    Bug: https://bugs.gentoo.org/797661
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.35.2.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 6 John Helmert III gentoo-dev Security 2021-06-24 13:39:24 UTC
Thank you fordfrog.
Comment 7 John Helmert III gentoo-dev Security 2021-07-17 03:41:28 UTC
GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2021-07-19 01:43:44 UTC
This issue was resolved and addressed in
 GLSA 202107-40 at https://security.gentoo.org/glsa/202107-40
by GLSA coordinator John Helmert III (ajak).