| Summary: | mediawiki new security issues CVE-2021-41798, CVE-2021-41799, CVE-2021-41800, CVE-2021-41801 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs, tmb |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | mediawiki-1.35.3-1.1.mga8.src.rpm | CVE: | CVE-2021-41798, CVE-2021-41799, CVE-2021-41800, CVE-2021-41801 |
| Status comment: | |||
|
Description
David Walser
2021-10-05 14:01:10 CEST
David Walser
2021-10-05 14:01:28 CEST
Status comment:
(none) =>
Fixed upstream in 1.35.4 Suggested advisory: ======================== The updated packages fix a security vulnerability: XSS vulnerability in Special:Search. (CVE-2021-41798) ApiQueryBacklinks can cause a full table scan. (CVE-2021-41799) Fix PoolCounter protection of Special:Contributions. (CVE-2021-41800) ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked). (CVE-2021-41801) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41799 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41800 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41801 https://www.debian.org/security/2021/dsa-4979 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/ ======================== Updated packages in core/updates_testing: ======================== mediawiki-sqlite-1.35.4-1.mga8 mediawiki-mysql-1.35.4-1.mga8 mediawiki-pgsql-1.35.4-1.mga8 mediawiki-1.35.4-1.mga8 from SRPM: mediawiki-1.35.4-1.mga8.src.rpm CVE:
(none) =>
CVE-2021-41798, CVE-2021-41799, CVE-2021-41800, CVE-2021-41801 MGA8-64 Plasma on Lenovo B50
No installation issues.
Made sure mysql and httpd were running.
Had problem getting into mysql, uninstalled, deleted all files for it from /etc and /var/lib, reinstalled, still no joy. Found out googling that I had to
# systemctl enable mysqld.service
Created symlink /etc/systemd/system/multi-user.target.wants/mysqld.service → /usr/lib/systemd/system/mysqld.service.
This was new to me, or I forgot....
# systemctl start mysqld
# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
This let me define my password for root and then I could proceed with the steps in the Wiki OK.
All is well that ends wel.CC:
(none) =>
herman.viaene Validating. Keywords:
(none) =>
validated_update Fedora has issued an advisory for this on October 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/ Severity:
normal =>
major
Dave Hodgins
2021-10-13 20:33:11 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0477.html Status:
ASSIGNED =>
RESOLVED |