815376 – (CVE-2021-41798, CVE-2021-41799, CVE-2021-41800) <www-apps/mediawiki-1.36.2: multiple vulnerabilities

Bug 815376 (CVE-2021-41798, CVE-2021-41799, CVE-2021-41800) - <www-apps/mediawiki-1.36.2: multiple vulnerabilities

Summary: <www-apps/mediawiki-1.36.2: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2021-41798, CVE-2021-41799, CVE-2021-41800

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://lists.wikimedia.org/hyperkitt...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	815640
Blocks:
	Show dependency tree

Reported:	2021-09-29 17:03 UTC by John Helmert III
Modified:	2023-05-21 19:53 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-09-29 17:03:21 UTC

From URL:

Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.

The new releases will be:

- 1.31.16
- 1.35.4
- 1.36.2

This will resolve 3 issues in MediaWiki core and also includes some fixes
previously committed to git, including minor security and hardening patches
along with bug fixes included for maintenance reasons.

Comment 1 John Helmert III archtester

2021-09-30 18:30:21 UTC

Please bump to 1.36.2.

Comment 2 Larry the Git Cow gentoo-dev

2021-10-01 12:00:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d4e80120420a01be97bf7366bfd6805a37272f1

commit 3d4e80120420a01be97bf7366bfd6805a37272f1
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-10-01 12:00:15 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-10-01 12:00:30 +0000

    www-apps/mediawiki: bump to 1.36.2
    
    Bug: https://bugs.gentoo.org/815376
    Package-Manager: Portage-3.0.26, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.36.2.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2021-10-02 07:32:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8773d06fa788fcfa6f0f4210c17f98351ff37007

commit 8773d06fa788fcfa6f0f4210c17f98351ff37007
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-10-02 07:31:46 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-10-02 07:31:46 +0000

    www-apps/mediawiki: removed vulnerable 1.36.1
    
    Bug: https://bugs.gentoo.org/815376
    Package-Manager: Portage-3.0.26, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.36.1.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)

Comment 4 Miroslav Šulc gentoo-dev

2021-10-02 07:32:35 UTC

the tree is clean now, you can proceed.

Comment 5 John Helmert III archtester

2021-10-02 13:11:55 UTC

Thanks!

Comment 6 John Helmert III archtester

2022-12-26 20:39:54 UTC

GLSA request filed.

Comment 7 Larry the Git Cow gentoo-dev

2023-05-21 19:52:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1

commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:43:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:29 +0000

    [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/815376
    Bug: https://bugs.gentoo.org/829302
    Bug: https://bugs.gentoo.org/836430
    Bug: https://bugs.gentoo.org/855965
    Bug: https://bugs.gentoo.org/873385
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

Comment 8 John Helmert III archtester

2023-05-21 19:53:32 UTC

GLSA released, all done!