"== Security fixes == * (T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis. * (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel. * (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages. * (T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions. * (T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action" Please stabilize 1.36.3.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e81c7c466f2b013ac04c94c28436e919b9601de commit 4e81c7c466f2b013ac04c94c28436e919b9601de Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-12-16 07:55:59 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-12-16 07:55:59 +0000 www-apps/mediawiki: removed obsolete and vulnerable 1.36.2 Bug: https://bugs.gentoo.org/829302 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.36.2.ebuild | 86 ------------------------------ 2 files changed, 87 deletions(-)
the tree is clean now, you can proceed.
Thank you!
GLSA request filed.
Some more CVEs fixed in these versions. CVE-2021-44856 (https://phabricator.wikimedia.org/T271037): An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value. CVE-2021-44854 (https://phabricator.wikimedia.org/T292763): An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis. CVE-2021-44855 (https://phabricator.wikimedia.org/T293589): An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.