Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760414 (CVE-2020-35474, CVE-2020-35475, CVE-2020-35477, CVE-2020-35478, CVE-2020-35480) - <www-apps/mediawiki-1.35.1: multiple vulnerabilities (CVE-2020-{35474,35475,35477,35478,35480})
Summary: <www-apps/mediawiki-1.35.1: multiple vulnerabilities (CVE-2020-{35474,35475,3...
Status: RESOLVED FIXED
Alias: CVE-2020-35474, CVE-2020-35475, CVE-2020-35477, CVE-2020-35478, CVE-2020-35480
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.wikimedia.org/pipermail...
Whiteboard: B4 [noglsa]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-12-17 03:43 UTC by John Helmert III
Modified: 2020-12-22 19:07 UTC (History)
2 users (show)

See Also:
Package list:
www-apps/mediawiki-1.35.1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-12-17 03:43:22 UTC
From $URL:

Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.

The new releases will be:

- 1.31.11
- 1.35.1

This will resolve 5 issues in MediaWiki core (1 of which isn't applicable
to MediaWiki 1.31 at all), and also includes some fixes previously
committed to git, including minor security and hardening patches along with
bug fixes included for maintenance reasons.


(Tomorrow is 20201216)
Comment 1 John Helmert III gentoo-dev Security 2020-12-17 23:52:18 UTC
1.31.11 and 1.35.1 are released:

* (T268894, CVE-2020-35474) SECURITY: Message recentchanges-legend-watchlistexpiry can contain raw html.
* (T268917, CVE-2020-35475) SECURITY: Messages userrights-expiry-current and userrights-expiry-none can contain raw html.
* (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: BlockLogFormatter can output raw html.
* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage.
* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users.


Please bump to 1.35.1.
Comment 2 Larry the Git Cow gentoo-dev 2020-12-18 10:47:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eca29da12d5a6f6a26c84e7272e12f680b23d42f

commit eca29da12d5a6f6a26c84e7272e12f680b23d42f
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-12-18 10:47:04 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-12-18 10:47:04 +0000

    www-apps/mediawiki: bump to 1.35.1
    
    Bug: https://bugs.gentoo.org/760414
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.35.1.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 3 Miroslav Šulc gentoo-dev 2020-12-18 11:15:16 UTC
feel free to request package stabilization if needed
Comment 4 John Helmert III gentoo-dev Security 2020-12-18 18:31:17 UTC
(In reply to Miroslav Šulc from comment #3)
> feel free to request package stabilization if needed

Thanks!
Comment 5 Sam James archtester gentoo-dev Security 2020-12-19 14:27:08 UTC
amd64 done
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-12-20 16:31:16 UTC
x86 stable
Comment 7 Sam James archtester gentoo-dev Security 2020-12-22 05:27:22 UTC
ppc done

all arches done
Comment 8 Sam James archtester gentoo-dev Security 2020-12-22 05:30:37 UTC
Please cleanup, thanks!
Comment 9 Larry the Git Cow gentoo-dev 2020-12-22 13:17:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55a85ea6c92ee7ecacad8d85096e5896c6554860

commit 55a85ea6c92ee7ecacad8d85096e5896c6554860
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-12-22 13:17:16 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-12-22 13:17:16 +0000

    www-apps/mediawiki: removed obsolete & vulnerable 1.35.0
    
    Bug: https://bugs.gentoo.org/760414
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.35.0.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 10 Miroslav Šulc gentoo-dev 2020-12-22 13:17:47 UTC
the cree is clean now, you can proceed
Comment 11 Sam James archtester gentoo-dev Security 2020-12-22 19:07:29 UTC
(In reply to Miroslav Šulc from comment #10)
> the cree is clean now, you can proceed

Thanks! All done.