Updated mediawiki packages fix security vulnerabilities
Publication date: 19 Dec 2021Modification date: 19 Dec 2021
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-44854 , CVE-2021-44855 , CVE-2021-44856 , CVE-2021-44857 , CVE-2021-44858 , CVE-2021-45038
Description
Updated mediawiki packages fix security vulnerabilities: == Security fixes == * (T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis. * (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel. * (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages. * (T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions. * (T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action === Extension security fixes === * (T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog. * (T294686) Special:Nuke doesn't actually delete pages.
References
- https://bugs.mageia.org/show_bug.cgi?id=29772
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44854
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44855
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44856
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44857
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44858
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45038
SRPMS
8/core
- mediawiki-1.35.5-1.mga8