Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614906 (CVE-2017-0361, CVE-2017-0362, CVE-2017-0363, CVE-2017-0364, CVE-2017-0365, CVE-2017-0366, CVE-2017-0367, CVE-2017-0368, CVE-2017-0369, CVE-2017-0370, CVE-2017-0372) - <www-apps/mediawiki-1.27.3: multiple vulnerabilities
Summary: <www-apps/mediawiki-1.27.3: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-0361, CVE-2017-0362, CVE-2017-0363, CVE-2017-0364, CVE-2017-0365, CVE-2017-0366, CVE-2017-0367, CVE-2017-0368, CVE-2017-0369, CVE-2017-0370, CVE-2017-0372
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://lists.wikimedia.org/pipermail...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-07 09:07 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-06-28 11:47 UTC (History)
2 users (show)

See Also:
Package list:
www-apps/mediawiki-1.27.3
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-04-07 09:07:02 UTC 
== Security fixes ==
* (T109140) (T122209) Special:UserLogin and Special:Search allow redirect
  to interwiki links. (CVE-2017-0363, CVE-2017-0364)
* (T144845) XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.  (CVE-2017-0365)
* (T125177) API parameters may now be marked as "sensitive" to keep
  their values out of the logs.  (CVE-2017-0361)
* (T150044) "Mark all pages visited" on the watchlist now requires a CSRF
  token.  (CVE-2017-0362)
* (T156184) Escape content model/format url parameter in message.
  (CVE-2017-0368)
* (T151735) SVG filter evasion using default attribute values in DTD
  declaration. (CVE-2017-0366)
* (T48143) Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter. (CVE-2017-0370)
* (T108138) Sysops can undelete pages, although the page is protected
  against it. (CVE-2017-0369)

The following only affects 1.27 and above and is not included in the 1.23
upgrade:

* (T161453) LocalisationCache will no longer use the temporary directory
  in its fallback chain when trying to work out where to write the cache.
  (CVE-2017-0367)

The following fix is for the SyntaxHighlight extension:

* (T158689) Parameters injection in SyntaxHighlight results in multiple
  vulnerabilities. (CVE-2017-0372)
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 20:57:27 UTC 
Now in repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cacce1c76fc3f72971acc28703d0df7059d69936


@ Arches,

please test and mark stable: =www-apps/mediawiki-1.27.3
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-05 11:06:02 UTC 
amd64 stable
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-05 14:30:38 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-21 11:58:28 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-28 11:47:48 UTC 
GLSA Vote: No

Repository is now clean, all done.