FEDORA-2020-a4802c53d9 — security update for mediawiki, php-oojs-oojs-ui, & 2 more

mediawiki-1.35.0-1.fc33, php-oojs-oojs-ui-0.39.3-1.fc33, & 2 more

FEDORA-2020-a4802c53d9 created by mooninite a year ago for Fedora 33

stable

https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000263.html

The 1.34.x series is now end-of-life and the 1.35.x series is a LTS release.

How to install

sudo dnf upgrade --advisory=FEDORA-2020-a4802c53d9

This update has been submitted for testing by mooninite.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update has been pushed to testing.

a year ago

This update can be pushed to stable now if the maintainer wishes

a year ago

This update has been submitted for stable by mooninite.

a year ago

This update has been pushed to stable.

a year ago

Please login to add feedback.

Metadata

Type

security

Severity

medium

Karma

Signed

Content Type

RPM

Test Gating

Builds

mediawiki-1.35.0-1.fc33

php-oojs-oojs-ui-0.39.3-1.fc33

php-wikimedia-assert-0.5.0-1.fc33

php-zordius-lightncandy-1.2.5-1.fc33

Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

14 days

Dates

submitted

a year ago

in testing

a year ago

in stable

a year ago

BZ#1288786 php-zordius-lightncandy-1.2.5 is available

BZ#1667755 php-wikimedia-assert-0.5.0 is available

BZ#1882555 mediawiki-1.35.0 is available

BZ#1903753 CVE-2020-26120 mediawiki: XSS exists in the MobileFrontend extension [fedora-all]

BZ#1903755 CVE-2020-26121 mediawiki: attacker can import a file even when the target page is protected against page creation [fedora-all]

BZ#1903760 CVE-2020-25815 mediawiki: LogEventList::getFiltersDesc is insecurely using message text to build options names for HTML multi-select field [fedora-all]

BZ#1903762 CVE-2020-25827 mediawiki: using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level [fedora-all]

BZ#1903765 CVE-2020-25813 mediawiki: Special:UserRights exposes the existence of hidden users [fedora-all]

BZ#1903769 CVE-2020-25812 mediawiki: XSS using raw HTML [fedora-all]

BZ#1903771 CVE-2020-25869 mediawiki: handling of actor ID does not necessarily use the correct database or correct wiki leads to information disclosure [fedora-all]

BZ#1903775 CVE-2020-25814 mediawiki: XSS via javascript:payload [fedora-all]

BZ#1903778 CVE-2020-25828 mediawiki: non-jqueryMsg version of mw.message().parse() doesn't escape HTML leads to XSS [fedora-all]

mediawiki-1.35.0-1.fc33
php-oojs-oojs-ui-0.39.3-1.fc33
php-wikimedia-assert-0.5.0-1.fc33
php-zordius-lightncandy-1.2.5-1.fc33

How to install

Automated Test Results