From URL: Tomorrow we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.31.15 - 1.35.3 - 1.36.1 This will resolve 1 minor issue in MediaWiki core and also includes some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons.
Releases have been released: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/ * (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4755537bbe8955c4228f76fe5a3e62835761d51 commit e4755537bbe8955c4228f76fe5a3e62835761d51 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-06-23 16:30:37 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-06-23 16:30:37 +0000 www-apps/mediawiki: bump to 1.36.1, dropped vulnerable 1.36.0 Bug: https://bugs.gentoo.org/797661 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 2 +- www-apps/mediawiki/{mediawiki-1.36.0.ebuild => mediawiki-1.36.1.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
should be safe to stabilize.
ALLARCHES stable. Closing.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d5824b5bde90c1ad15875968c7a58c10919d4e2 commit 4d5824b5bde90c1ad15875968c7a58c10919d4e2 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-06-24 07:52:13 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-06-24 07:52:53 +0000 www-apps/mediawiki: removed obsolete 1.35.2 Bug: https://bugs.gentoo.org/797661 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.35.2.ebuild | 86 ------------------------------ 2 files changed, 87 deletions(-)
Thank you fordfrog.
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-40 at https://security.gentoo.org/glsa/202107-40 by GLSA coordinator John Helmert III (ajak).