CVE-2017-8815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8815): The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. CVE-2017-8814 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8814): The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." CVE-2017-8812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8812): MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline. CVE-2017-8811 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8811): The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. CVE-2017-8810 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8810): MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests. CVE-2017-8809 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8809): api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. CVE-2017-8808 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8808): MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping.
@Maintainers please call for stabilization when ready. Thank you
@maintainer(s), please bump the package LTS to at least 1.27.4.
ping for bumpage.
i've bumped mediawiki to version 1.31.1 some time ago and and to 1.32.0 recently. so i guess one of these can go stable. commit 7724838bfca3aec523c82232cfa717fc1eb38d3e Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Tue Feb 5 14:14:00 2019 +0100 www-apps/mediawiki-1.32.0: bump Closes: https://bugs.gentoo.org/675186 Package-Manager: Portage-2.3.59, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> commit 294cc98f55c6c485070698177dd7f72f341cc058 Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Tue Oct 23 18:35:38 2018 +0200 www-apps/mediawiki: version bump per bug #611240 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11
@arches, please stabilize.
amd64 stable
Looking good on ppc. # cat mediawiki-637582.report USE tests started on So 14. Apr 19:45:51 CEST 2019 FEATURES=' test' USE='' succeeded for =www-apps/mediawiki-1.32.0 USE='imagemagick mysql -postgres -sqlite -vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='imagemagick -mysql postgres -sqlite -vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='imagemagick mysql -postgres sqlite -vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='-imagemagick mysql postgres sqlite -vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='imagemagick mysql -postgres -sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='imagemagick -mysql postgres -sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='-imagemagick mysql postgres -sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='imagemagick mysql postgres -sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='-imagemagick mysql -postgres sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='imagemagick mysql -postgres sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='-imagemagick mysql postgres sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0 USE='imagemagick mysql postgres sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0
(In reply to ernsteiswuerfel from comment #7) > Looking good on ppc. > > # cat mediawiki-637582.report > USE tests started on So 14. Apr 19:45:51 CEST 2019 > > FEATURES=' test' USE='' succeeded for =www-apps/mediawiki-1.32.0 > USE='imagemagick mysql -postgres -sqlite -vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='imagemagick -mysql postgres -sqlite -vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='imagemagick mysql -postgres sqlite -vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='-imagemagick mysql postgres sqlite -vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='imagemagick mysql -postgres -sqlite vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='imagemagick -mysql postgres -sqlite vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='-imagemagick mysql postgres -sqlite vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='imagemagick mysql postgres -sqlite vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='-imagemagick mysql -postgres sqlite vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='imagemagick mysql -postgres sqlite vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='-imagemagick mysql postgres sqlite vhosts' succeeded for > =www-apps/mediawiki-1.32.0 > USE='imagemagick mysql postgres sqlite vhosts' succeeded for > =www-apps/mediawiki-1.32.0 thanks!
x86 stable
@maintainer, please drop vulnerable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd1f071fcacf79be077e6f3845ac951aa0979651 commit fd1f071fcacf79be077e6f3845ac951aa0979651 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2019-04-25 06:51:10 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2019-04-25 06:51:10 +0000 www-apps/mediawiki-1.{27.3,31.1}: removed vulnerable (bug #637582) Bug: https://bugs.gentoo.org/637582 Package-Manager: Portage-2.3.64, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 2 - www-apps/mediawiki/mediawiki-1.27.3.ebuild | 79 ---------------------------- www-apps/mediawiki/mediawiki-1.31.1.ebuild | 82 ------------------------------ 3 files changed, 163 deletions(-)
