829302 – (CVE-2021-44854, CVE-2021-44855, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038) <www-apps/mediawiki-{1.36.3,1.37.1}: multiple vulnerabilities

Bug 829302 (CVE-2021-44854, CVE-2021-44855, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038) - <www-apps/mediawiki-{1.36.3,1.37.1}: multiple vulnerabilities

Summary: <www-apps/mediawiki-{1.36.3,1.37.1}: multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2021-44854, CVE-2021-44855, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.mediawiki.org/wiki/2021-1...
Whiteboard:	B3 [glsa]
Keywords:

Depends on:	829303
Blocks:
	Show dependency tree

Reported:	2021-12-15 23:35 UTC by John Helmert III
Modified:	2022-12-26 20:44 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-12-15 23:35:15 UTC

"== Security fixes ==
* (T292763. CVE-2021-44854) REST API incorrectly publicly caches
autocomplete search results from private wikis.
* (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via
Special:ChangeContentModel.
* (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to
replace the content of arbitrary pages.
* (T297322, CVE-2021-44858) Unauthorized users can view contents of private
wikis using various actions.
* (T297574, CVE-2021-45038) Unauthorized users can access private wiki
contents using rollback action"

Please stabilize 1.36.3.

Comment 1 Larry the Git Cow gentoo-dev

2021-12-16 07:56:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e81c7c466f2b013ac04c94c28436e919b9601de

commit 4e81c7c466f2b013ac04c94c28436e919b9601de
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-12-16 07:55:59 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-12-16 07:55:59 +0000

    www-apps/mediawiki: removed obsolete and vulnerable 1.36.2
    
    Bug: https://bugs.gentoo.org/829302
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.36.2.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)

Comment 2 Miroslav Šulc gentoo-dev

2021-12-16 07:56:31 UTC

the tree is clean now, you can proceed.

Comment 3 John Helmert III archtester

2021-12-16 16:16:00 UTC

Thank you!

Comment 4 John Helmert III archtester

2022-12-26 20:39:49 UTC

GLSA request filed.

Comment 5 John Helmert III archtester

2022-12-26 20:44:29 UTC

Some more CVEs fixed in these versions.

CVE-2021-44856 (https://phabricator.wikimedia.org/T271037):

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.

CVE-2021-44854 (https://phabricator.wikimedia.org/T292763):

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.

CVE-2021-44855 (https://phabricator.wikimedia.org/T293589):

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.