MGASA-2021-0568 - Updated mediawiki packages fix security vulnerabilities Publication date: 19 Dec 2021 URL: https://advisories.mageia.org/MGASA-2021-0568.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-44854, CVE-2021-44855, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038 Updated mediawiki packages fix security vulnerabilities: == Security fixes == * (T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis. * (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel. * (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages. * (T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions. * (T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action === Extension security fixes === * (T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog. * (T294686) Special:Nuke doesn't actually delete pages. References: - https://bugs.mageia.org/show_bug.cgi?id=29772 - https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44854 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44855 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44856 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44857 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44858 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45038 SRPMS: - 8/core/mediawiki-1.35.5-1.mga8