- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2648-1                [email protected]
https://www.debian.org/lts/security/                          Abhijith PA
May 05, 2021                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : mediawiki
Version        : 1:1.27.7-1~deb9u8
CVE ID         : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 
                 CVE-2021-30155 CVE-2021-30158 CVE-2021-30159
Debian Bug     : 985574 984664

Several vulnerabilities were discovered in mediawiki, a wiki 
website engine for collaborative work.


    An infinite loop in SMLLexer in Pygments used by mediawiki as 
    one if its lexers may lead to denial of service when performing 
    syntax highlighting of a Standard ML (SML) source file, as 
    demonstrated by input that only contains the "exception" keyword.


    pygments, the lexers used by mediawiki rely heavily on regular 
    expressions. Some of the regular expressions have exponential or 
    cubic worst-case complexity and are vulnerable to ReDoS. By 
    crafting malicious input, an attacker can cause a denial of service.


    An issue was discovered in MediaWiki. When using the MediaWiki 
    API to "protect" a page, a user is currently able to protect to a 
    higher level than they currently have permissions for.


    An issue was discovered in MediaWiki before. ContentModelChange 
    does not check if a user has correct permissions to create and set 
    the content model of a nonexistent page.


    An issue was discovered in MediaWiki. Blocked users are unable to 
    use Special:ResetTokens. This has security relevance because a 
    blocked user might have accidentally shared a token, or might know 
    that a token has been compromised, and yet is not able to block 
    any potential future use of the token by an unauthorized party.


    An issue was discovered in MediaWiki. Users can bypass intended 
    restrictions on deleting pages in certain "fast double move" 
    situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but 
    it's only called if Title::getArticleID() returns non-zero with no 
    special flags. Next, MovePage::moveToInternal() will delete the 
    page if getArticleID(READ_LATEST) is non-zero. Therefore, if the 
    page is missing in the replica DB, isValidMove() will return true, 
    and then moveToInternal() will unconditionally delete the page if 
    it can be found in the master.

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS