Branch sisyphus update bulletin.

Package mediawiki updated to version 1.32.0-alt1 for branch sisyphus in task 223491.

Published: 2018-10-04
Modified: 2024-11-21

CVE-2018-13258

Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarball used to protect some directories that shouldn't be web accessible.

Severity: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

1041695
1041695
[wikitech-l] 20180920 Security release: 1.27.5 / 1.29.3 / 1.30.1 / 1.31.1
[wikitech-l] 20180920 Security release: 1.27.5 / 1.29.3 / 1.30.1 / 1.31.1
https://phabricator.wikimedia.org/T199029
https://phabricator.wikimedia.org/T199029

Published: 2021-10-11
Modified: 2024-11-21

CVE-2021-41801

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/
https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/
https://phabricator.wikimedia.org/T279090
https://phabricator.wikimedia.org/T279090

Version: 2.1.0

Branch sisyphus update on 2019-03-04

ALT-BU-2019-3526-1

ALT-PU-2019-1337-1

Closed vulnerabilities

CVE-2018-13258

CVE-2021-41801