MGASA-2021-0346

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0346.html

Import Source

https://advisories.mageia.org/MGASA-2021-0346.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2021-0346

Related

CVE-2021-35197

Published

2021-07-12T20:26:21Z

Modified

2021-07-12T19:16:15Z

Summary

Updated mediawiki packages fix a security vulnerability

Details

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented) (CVE-2021-35197).

The mediawiki packages are upgraded to latest version for their branches. See upstream release notes for other bugfixes.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:8 / mediawiki

Package

Name: mediawiki
Purl: pkg:rpm/mageia/mediawiki?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.35.3-1.1.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:7 / mediawiki

Package

Name: mediawiki
Purl: pkg:rpm/mageia/mediawiki?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.31.15-1.mga7

Ecosystem specific

{
    "section": "core"
}