Advisories ยป MGASA-2021-0568

Updated mediawiki packages fix security vulnerabilities

Publication date: 19 Dec 2021
Modification date: 19 Dec 2021
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-44854 , CVE-2021-44855 , CVE-2021-44856 , CVE-2021-44857 , CVE-2021-44858 , CVE-2021-45038

Description

Updated mediawiki packages fix security vulnerabilities:

== Security fixes ==
* (T292763. CVE-2021-44854) REST API incorrectly publicly caches
  autocomplete search results from private wikis.
* (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via
  Special:ChangeContentModel.
* (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to
  replace the content of arbitrary pages.
* (T297322, CVE-2021-44858) Unauthorized users can view contents of private
   wikis using various actions.
* (T297574, CVE-2021-45038) Unauthorized users can access private wiki
  contents using rollback action

=== Extension security fixes ===
* (T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.
* (T294686) Special:Nuke doesn't actually delete pages.
                

References

SRPMS

8/core