CVE-2021-30154: An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS. CVE-2021-30157: An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS. CVE-2021-30158: An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. Fixes in 1.35.2, please bump.
afaics 1.35.2 is not released yet: https://www.mediawiki.org/wiki/Download
Ah, my bad.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00a3f5e0f74e5975eca1bcc9f63e2db81a1b5548 commit 00a3f5e0f74e5975eca1bcc9f63e2db81a1b5548 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-09 12:05:37 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-09 12:06:05 +0000 www-apps/mediawiki: security bump to 1.35.2 Bug: https://bugs.gentoo.org/780654 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 + www-apps/mediawiki/mediawiki-1.35.2.ebuild | 86 ++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+)
it should be safe to stabilize
Thanks! From the changelog: (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access Special:ResetTokens. (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages on Special:NewFiles. (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on ChangesList pages. (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they have right to do so via action=protect. (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast double move. (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user cancreate pages. (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags.
amd64 ppc x86 (ALLARCHES) done all arches done
Thanks! Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8bf368b3924eb7962008fdd12ea7d3873fda32e commit c8bf368b3924eb7962008fdd12ea7d3873fda32e Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-10 04:43:35 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-10 04:43:35 +0000 www-apps/mediawiki: removed old and vulnerable 1.35.1 Bug: https://bugs.gentoo.org/780654 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.35.1.ebuild | 86 ------------------------------ 2 files changed, 87 deletions(-)
we're clean now, you can proceed.
(In reply to Miroslav Šulc from comment #9) > we're clean now, you can proceed. Thanks!
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-40 at https://security.gentoo.org/glsa/202107-40 by GLSA coordinator John Helmert III (ajak).
