Debian has issued an advisory on October 1: https://www.debian.org/security/2021/dsa-4979 The issues are fixed upstream in 1.35.4: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/ Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.35.4CC: (none) => tmbWhiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: XSS vulnerability in Special:Search. (CVE-2021-41798) ApiQueryBacklinks can cause a full table scan. (CVE-2021-41799) Fix PoolCounter protection of Special:Contributions. (CVE-2021-41800) ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked). (CVE-2021-41801) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41799 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41800 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41801 https://www.debian.org/security/2021/dsa-4979 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/ ======================== Updated packages in core/updates_testing: ======================== mediawiki-sqlite-1.35.4-1.mga8 mediawiki-mysql-1.35.4-1.mga8 mediawiki-pgsql-1.35.4-1.mga8 mediawiki-1.35.4-1.mga8 from SRPM: mediawiki-1.35.4-1.mga8.src.rpm
CVE: (none) => CVE-2021-41798, CVE-2021-41799, CVE-2021-41800, CVE-2021-41801Assignee: bugsquad => qa-bugsStatus comment: Fixed upstream in 1.35.4 => (none)Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDCC: (none) => nicolas.salguero
MGA8-64 Plasma on Lenovo B50 No installation issues. Made sure mysql and httpd were running. Had problem getting into mysql, uninstalled, deleted all files for it from /etc and /var/lib, reinstalled, still no joy. Found out googling that I had to # systemctl enable mysqld.service Created symlink /etc/systemd/system/multi-user.target.wants/mysqld.service → /usr/lib/systemd/system/mysqld.service. This was new to me, or I forgot.... # systemctl start mysqld # mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and haven't set the root password yet, you should just press enter here. This let me define my password for root and then I could proceed with the steps in the Wiki OK. All is well that ends wel.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Fedora has issued an advisory for this on October 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/
Severity: normal => major
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0477.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED