Arch Linux: ASA-201608-19 Moderate: MediaWiki Multiple Issues

The package mediawiki before version 1.27.1-1 is vulnerable to multiple issues including cross-site scripting, information disclosure and permission bypass.

Arch Linux Security Advisory ASA-201608-19
=========================================
Severity: Medium
Date    : 2016-08-26
CVE-ID  : CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334
          CVE-2016-6335 CVE-2016-6336 CVE-2016-6337
Package : mediawiki
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package mediawiki before version 1.27.1-1 is vulnerable to multiple
issues including cross-site scripting, information disclosure and
permission bypass.

Resolution
=========
Upgrade to 1.27.1-1.

# pacman -Syu "mediawiki>=1.27.1-1"

The problems have been fixed upstream in version 1.27.1.

Workaround
=========
None.

Description
==========
- CVE-2016-6331 (permission bypass)

Check read permission when loading page content in ApiParse.  Prevents
leaking page contents for extensions that deny read rights to certain
pages via a userCan hook, but still allow the user to have read rights
in general.

- CVE-2016-6332 (permission bypass)

Make $wgBlockDisablesLogin also restrict logged in permissions.  Does
both Title and user related methods, so it catches things that only call
$wgUser->isAllowed( 'read' ), as well as giving a nicer error message
for things that use $title->userCan().  Otherwise, the user can still do
stuff and read pages if they have an ongoing session.

- CVE-2016-6333 (cross-site scripting)

Escape '<' and ']]>' in inline