ArchLinux: 201608-19: mediawiki: multiple issues
Summary
- CVE-2016-6331 (permission bypass)
Check read permission when loading page content in ApiParse. Prevents
leaking page contents for extensions that deny read rights to certain
pages via a userCan hook, but still allow the user to have read rights
in general.
- CVE-2016-6332 (permission bypass)
Make $wgBlockDisablesLogin also restrict logged in permissions. Does
both Title and user related methods, so it catches things that only call
$wgUser->isAllowed( 'read' ), as well as giving a nicer error message
for things that use $title->userCan(). Otherwise, the user can still do
stuff and read pages if they have an ongoing session.
- CVE-2016-6333 (cross-site scripting)
Escape '<' and ']]>' in inline
Resolution
Upgrade to 1.27.1-1.
# pacman -Syu "mediawiki>=1.27.1-1"
The problems have been fixed upstream in version 1.27.1.
References
Workaround
None.