797661 – (CVE-2021-35197) <www-apps/mediawiki-1.36.1: allows blocked users to purge pages (CVE-2021-35197)

Bug 797661 (CVE-2021-35197) - <www-apps/mediawiki-1.36.1: allows blocked users to purge pages (CVE-2021-35197)

Summary: <www-apps/mediawiki-1.36.1: allows blocked users to purge pages (CVE-2021-35197)

Status:	RESOLVED FIXED

Alias:	CVE-2021-35197

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://lists.wikimedia.org/hyperkitt...
Whiteboard:	B3 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-06-22 22:29 UTC by John Helmert III
Modified:	2021-07-19 01:43 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	www-apps/mediawiki-1.36.1
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-06-22 22:29:50 UTC

From URL:

Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.

The new releases will be:

- 1.31.15
- 1.35.3
- 1.36.1

This will resolve 1 minor issue in MediaWiki core and also includes some
fixes previously committed to git, including minor security and hardening
patches along with bug fixes included for maintenance reasons.

Comment 1 John Helmert III archtester

2021-06-23 16:26:14 UTC

Releases have been released:

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/

* (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging
pages.

Please bump.

Comment 2 Larry the Git Cow gentoo-dev

2021-06-23 16:30:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4755537bbe8955c4228f76fe5a3e62835761d51

commit e4755537bbe8955c4228f76fe5a3e62835761d51
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-06-23 16:30:37 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-06-23 16:30:37 +0000

    www-apps/mediawiki: bump to 1.36.1, dropped vulnerable 1.36.0
    
    Bug: https://bugs.gentoo.org/797661
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                                             | 2 +-
 www-apps/mediawiki/{mediawiki-1.36.0.ebuild => mediawiki-1.36.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

Comment 3 Miroslav Šulc gentoo-dev

2021-06-23 16:32:02 UTC

should be safe to stabilize.

Comment 4 Agostino Sarubbo gentoo-dev

2021-06-24 04:27:21 UTC

ALLARCHES stable. Closing.

Comment 5 Larry the Git Cow gentoo-dev

2021-06-24 07:52:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d5824b5bde90c1ad15875968c7a58c10919d4e2

commit 4d5824b5bde90c1ad15875968c7a58c10919d4e2
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-06-24 07:52:13 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-06-24 07:52:53 +0000

    www-apps/mediawiki: removed obsolete 1.35.2
    
    Bug: https://bugs.gentoo.org/797661
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.35.2.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)

Comment 6 John Helmert III archtester

2021-06-24 13:39:24 UTC

Thank you fordfrog.

Comment 7 John Helmert III archtester

2021-07-17 03:41:28 UTC

GLSA request filed.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2021-07-19 01:43:44 UTC

This issue was resolved and addressed in
 GLSA 202107-40 at https://security.gentoo.org/glsa/202107-40
by GLSA coordinator John Helmert III (ajak).