FEDORA-2021-bef1126908 created by mooninite 5 months ago for Fedora 35
stable

How to install

sudo dnf upgrade --advisory=FEDORA-2021-bef1126908

This update has been submitted for testing by mooninite.

5 months ago

This update's test gating status has been changed to 'ignored'.

5 months ago
User Icon imabug provided feedback 5 months ago
karma

This update has been pushed to testing.

5 months ago
User Icon bynt commented & provided feedback 4 months ago

Thx for the update @mooninite,

can You comment on those CVEs? AFAIK 1.36.3 fixes

  • CVE-2021-44854
  • CVE-2021-44856
  • CVE-2021-44857
  • CVE-2021-44858
  • CVE-2021-45038

https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_36/RELEASE-NOTES-1.36

For the vulns listed under 'bugs' for this update there are some patches available, but I'm not sure if they made it to 1.36.3 in time:

https://phabricator.wikimedia.org/T292226

Can You clarify which set of vulns is fixed with this update?

Thanks, cheers

User Icon mooninite commented & provided feedback 4 months ago

@bynt, the bug report CVEs are for MediaWiki extensions that are not shipped as part of our package.

Example: CVE-2021-45474 is against the 'FileImporter' extension.

CVE-2021-45472 and CVE-2021-45473 - are against the 'Wikibase' extension.

CVE-2021-45471 is against the 'EntitySchema' extension.

User Icon bynt commented & provided feedback 4 months ago

OK, thanks for clarifying. We process Fedora's Security Updates primarily based on CVEs listed under 'Bugs', so that info helps. Plus I understand the Wikimedia phabricator listing better now. tyvm!

This update has been submitted for stable by bodhi.

4 months ago

This update has been pushed to stable.

4 months ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
5 months ago
in testing
5 months ago
in stable
4 months ago
BZ#2036080 CVE-2021-45471 mediawiki: blocked IP addresses are allowed to edit EntitySchema items [fedora-all]
0
0
BZ#2036083 CVE-2021-45472 mediawiki: XSS in Wikibase using formatter URL [fedora-all]
0
0
BZ#2036088 CVE-2021-45473 mediawiki: XSS on page information Wikibase central description [fedora-all]
0
0
BZ#2036090 CVE-2021-45474 mediawiki: XSS in Special:ImportFile URL [fedora-all]
0
0

Automated Test Results