Fedora: 2021-b5657daf44 Critical MediaWiki XSS Vulnerabilities Identified

MediaWiki is the software used for Wikipedia and the other Wikimedia

Foundation websites. Compared to other wikis, it has an excellent

range of features and support for high-traffic websites using multiple

servers

This package supports wiki farms. Read the instructions for creating wiki

instances under /usr/share/doc/mediawiki/README.RPM.

Remember to remove the config dir after completing the configuration.

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/KSMS2ET2EWZJT7Y3H335B3XNV723FOZR/ The 1.34.x series is now end-of-life and

the 1.35.x series is a LTS release.

* Wed Dec 2 2020 Michael Cronenworth - 1.35.0-1

- Update to 1.35.0

- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/KSMS2ET2EWZJT7Y3H335B3XNV723FOZR/

[ 1 ] Bug #1288786 - php-zordius-lightncandy-1.2.5 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1288786

[ 2 ] Bug #1667755 - php-wikimedia-assert-0.5.0 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1667755

[ 3 ] Bug #1882555 - mediawiki-1.35.0 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1882555

[ 4 ] Bug #1903753 - CVE-2020-26120 mediawiki: XSS exists in the MobileFrontend extension [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903753

[ 5 ] Bug #1903755 - CVE-2020-26121 mediawiki: attacker can import a file even when the target page is protected against page creation [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903755

[ 6 ] Bug #1903760 - CVE-2020-25815 mediawiki: LogEventList::getFiltersDesc is insecurely using message text to build options names for HTML multi-select field [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903760

[ 7 ] Bug #1903762 - CVE-2020-25827 mediawiki: using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903762

[ 8 ] Bug #1903765 - CVE-2020-25813 mediawiki: Special:UserRights exposes the existence of hidden users [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903765

[ 9 ] Bug #1903769 - CVE-2020-25812 mediawiki: XSS using raw HTML [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903769

[ 10 ] Bug #1903771 - CVE-2020-25869 mediawiki: handling of actor ID does not necessarily use the correct database or correct wiki leads to information disclosure [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903771

[ 11 ] Bug #1903775 - CVE-2020-25814 mediawiki: XSS via javascript:payload [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903775

[ 12 ] Bug #1903778 - CVE-2020-25828 mediawiki: non-jqueryMsg version of mw.message().parse() doesn't escape HTML leads to XSS [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1903778

su -c 'dnf upgrade --advisory FEDORA-2020-a4802c53d9' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/