Mageia 2021-0086: mediawiki security update
Summary
In MediaWiki before 1.31.11, the messages userrights-expiry-current and
userrights-expiry-none can contain raw HTML. XSS can happen when a user visits
Special:UserRights but does not have rights to change all userrights, and the
table on the left side has unchangeable groups in it. The right column with
the changeable groups is not affected and is escaped correctly
(CVE-2020-35475).
MediaWiki before 1.31.11 blocks legitimate attempts to hide log entries in
some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main
Page, visits a log entry on Special:Log, and toggles the "Change visibility of
selected log entries" checkbox (or a tags checkbox) next to it, there is a
redirection to the main page's action=historysubmit instead of the desired
behavior in which a revision-deletion form appears (CVE-2020-35477).
MediaWiki before 1.31.11 allows XSS via BlockLogFormatter.php.
Language::translateBlockExpiry itself does not escape in all code paths. For
example, the return of Language::userTimeAndDate is is always unsafe for HTML
in a month value (CVE-2020-35479).
An issue was discovered in MediaWiki before 1.31.11. Missing users (accounts
that don't exist) and hidden users (accounts that have been explicitly hidden
due to being abusive, or similar) that the viewer cannot see are handled
differently, exposing sensitive information about the hidden status to
unprivileged viewers. This exists on various code paths (CVE-2020-35480).
References
- https://bugs.mageia.org/show_bug.cgi?id=27781
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/X2TKK7TINY7UEGNSXVX2KE54IACBCR4L/
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/7PJKIVUOH7MLVTGOEXAKNWJ4RWRVKGSK/
- https://www.debian.org/security/2020/dsa-4816
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35475
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35477
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35479
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35480
Resolution
MGASA-2021-0086 - Updated mediawiki packages fix security vulnerability
SRPMS
- 7/core/mediawiki-1.31.12-1.mga7