Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829302 (CVE-2021-44854, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038) - <www-apps/mediawiki-{1.36.3,1.37.1}: multiple vulnerabilities
Summary: <www-apps/mediawiki-{1.36.3,1.37.1}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-44854, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.mediawiki.org/wiki/2021-1...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 829303
Blocks:
  Show dependency tree
 
Reported: 2021-12-15 23:35 UTC by John Helmert III
Modified: 2022-07-03 03:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-15 23:35:15 UTC 
"== Security fixes ==
* (T292763. CVE-2021-44854) REST API incorrectly publicly caches
autocomplete search results from private wikis.
* (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via
Special:ChangeContentModel.
* (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to
replace the content of arbitrary pages.
* (T297322, CVE-2021-44858) Unauthorized users can view contents of private
wikis using various actions.
* (T297574, CVE-2021-45038) Unauthorized users can access private wiki
contents using rollback action"

Please stabilize 1.36.3.
Comment 1 Larry the Git Cow gentoo-dev 2021-12-16 07:56:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e81c7c466f2b013ac04c94c28436e919b9601de

commit 4e81c7c466f2b013ac04c94c28436e919b9601de
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-12-16 07:55:59 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-12-16 07:55:59 +0000

    www-apps/mediawiki: removed obsolete and vulnerable 1.36.2
    
    Bug: https://bugs.gentoo.org/829302
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.36.2.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2021-12-16 07:56:31 UTC 
the tree is clean now, you can proceed.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-16 16:16:00 UTC 
Thank you!