Linux Security
Linux Security
Linux Security

Debian LTS: DLA-2648-1: mediawiki security update

Date 05 May 2021
Posted By LinuxSecurity Advisories
Several vulnerabilities were discovered in mediawiki, a wiki website engine for collaborative work. CVE-2021-20270

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2648-1                This email address is being protected from spambots. You need JavaScript enabled to view it.                          Abhijith PA
May 05, 2021                        
- -------------------------------------------------------------------------

Package        : mediawiki
Version        : 1:1.27.7-1~deb9u8
CVE ID         : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 
                 CVE-2021-30155 CVE-2021-30158 CVE-2021-30159
Debian Bug     : 985574 984664

Several vulnerabilities were discovered in mediawiki, a wiki 
website engine for collaborative work.


    An infinite loop in SMLLexer in Pygments used by mediawiki as 
    one if its lexers may lead to denial of service when performing 
    syntax highlighting of a Standard ML (SML) source file, as 
    demonstrated by input that only contains the "exception" keyword.


    pygments, the lexers used by mediawiki rely heavily on regular 
    expressions. Some of the regular expressions have exponential or 
    cubic worst-case complexity and are vulnerable to ReDoS. By 
    crafting malicious input, an attacker can cause a denial of service.


    An issue was discovered in MediaWiki. When using the MediaWiki 
    API to "protect" a page, a user is currently able to protect to a 
    higher level than they currently have permissions for.


    An issue was discovered in MediaWiki before. ContentModelChange 
    does not check if a user has correct permissions to create and set 
    the content model of a nonexistent page.


    An issue was discovered in MediaWiki. Blocked users are unable to 
    use Special:ResetTokens. This has security relevance because a 
    blocked user might have accidentally shared a token, or might know 
    that a token has been compromised, and yet is not able to block 
    any potential future use of the token by an unauthorized party.


    An issue was discovered in MediaWiki. Users can bypass intended 
    restrictions on deleting pages in certain "fast double move" 
    situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but 
    it's only called if Title::getArticleID() returns non-zero with no 
    special flags. Next, MovePage::moveToInternal() will delete the 
    page if getArticleID(READ_LATEST) is non-zero. Therefore, if the 
    page is missing in the replica DB, isValidMove() will return true, 
    and then moveToInternal() will unconditionally delete the page if 
    it can be found in the master.

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:


LinuxSecurity Poll

How frequently do you patch/update your system?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum 0 answer(s) and maximum 3 answer(s).
[{"id":"179","title":"As soon as patches\/updates are released - I track advisories for my distro(s) diligently","votes":"67","type":"x","order":"1","pct":75.28,"resources":[]},{"id":"180","title":"Every so often, when I think of it","votes":"14","type":"x","order":"2","pct":15.73,"resources":[]},{"id":"181","title":"Hardly ever","votes":"8","type":"x","order":"3","pct":8.99,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

Please vote first in order to view vote results.



bottom 200

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.