Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829302 (CVE-2021-44854, CVE-2021-44855, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038) - <www-apps/mediawiki-{1.36.3,1.37.1}: multiple vulnerabilities
Summary: <www-apps/mediawiki-{1.36.3,1.37.1}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-44854, CVE-2021-44855, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.mediawiki.org/wiki/2021-1...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 829303
Blocks:
  Show dependency tree
 
Reported: 2021-12-15 23:35 UTC by John Helmert III
Modified: 2022-12-26 20:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-15 23:35:15 UTC
"== Security fixes ==
* (T292763. CVE-2021-44854) REST API incorrectly publicly caches
autocomplete search results from private wikis.
* (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via
Special:ChangeContentModel.
* (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to
replace the content of arbitrary pages.
* (T297322, CVE-2021-44858) Unauthorized users can view contents of private
wikis using various actions.
* (T297574, CVE-2021-45038) Unauthorized users can access private wiki
contents using rollback action"

Please stabilize 1.36.3.
Comment 1 Larry the Git Cow gentoo-dev 2021-12-16 07:56:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e81c7c466f2b013ac04c94c28436e919b9601de

commit 4e81c7c466f2b013ac04c94c28436e919b9601de
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-12-16 07:55:59 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-12-16 07:55:59 +0000

    www-apps/mediawiki: removed obsolete and vulnerable 1.36.2
    
    Bug: https://bugs.gentoo.org/829302
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.36.2.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2021-12-16 07:56:31 UTC
the tree is clean now, you can proceed.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-16 16:16:00 UTC
Thank you!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-26 20:39:49 UTC
GLSA request filed.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-26 20:44:29 UTC
Some more CVEs fixed in these versions.

CVE-2021-44856 (https://phabricator.wikimedia.org/T271037):

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.

CVE-2021-44854 (https://phabricator.wikimedia.org/T292763):

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.

CVE-2021-44855 (https://phabricator.wikimedia.org/T293589):

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.