ArchLinux: 201809-5: mediawiki: multiple issues
Summary
- CVE-2018-0503 (access restriction bypass)
A security issue has been found in the rate limiting feature of
mediawiki < 1.31.1 where, contrary to the documentation, $wgRateLimits
entry for 'user' overrides that for 'newbie'.
- CVE-2018-0505 (access restriction bypass)
A security issue has been found in mediawiki < 1.31.1 where BotPassword
can bypass CentralAuth's account lock.
- CVE-2018-13258 (information disclosure)
A security issue has been found in mediawiki < 1.31.1 where the tarball
is missing .htaccess files used to protect some directories that
shouldn't be web accessible.
Resolution
Upgrade to 1.31.1-1.
# pacman -Syu "mediawiki>=1.31.1-1"
The problems have been fixed upstream in version 1.31.1.
References
https://www.mediawiki.org/wiki/Release_notes/1.31 https://phabricator.wikimedia.org/T169545 https://github.com/wikimedia/mediawiki/commit/befd48c5f7d3d073de96c87375d7380f6187deb6 https://phabricator.wikimedia.org/T194605 https://github.com/wikimedia/mediawiki/commit/ff6b4cb35c1944870fcd3cc525884790c20819b3 https://phabricator.wikimedia.org/T199029 https://github.com/wikimedia/mediawiki/commit/b78d595feecf9de919258b659628ca7dd872b3f4 https://security.archlinux.org/CVE-2018-0503 https://security.archlinux.org/CVE-2018-0505 https://security.archlinux.org/CVE-2018-13258
Workaround
None.