Bug 6102 - [Package Request] mediawiki CVE-2017-8809
: [Package Request] mediawiki CVE-2017-8809
Status: CONFIRMED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Package Requests
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
https://www.debian.org/security/2017/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-25 19:11 MSD by Zombie Ryushu
Modified: 2017-11-16 11:19 MSK (History)
2 users (show)

See Also:
RPM Package: mediawiki
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2015-08-25 19:11:55 MSD
I request that Media Wiki be packaged over from Mageia. This is for feature interoperability.
Comment 2 Zombie Ryushu 2016-09-16 19:05:52 MSD
Check read permission when loading page content in ApiParse
(CVE-2016-6331)

Make blocks log users out if $wgBlockDisablesLogin is true (CVE-2016-6332)

Make $wgBlockDisablesLogin also restrict logged in permissions
(CVE-2016-6332)

Require login to preview user CSS pages (CVE-2016-6333)

Escape '<' and ']]>' in inline
Comment 3 Zombie Ryushu 2017-11-16 11:19:19 MSK
Multiple security vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work:

    CVE-2017-8808

    Cross-site-scripting with non-standard URL escaping and $wgShowExceptionDetails disabled.
    CVE-2017-8809

    Reflected file download in API.
    CVE-2017-8810

    On private wikis the login form didn't distinguish between login failure due to bad username and bad password.
    CVE-2017-8811

    It was possible to mangle HTML via raw message parameter expansion.
    CVE-2017-8812

    id attributes in headlines allowed raw '>'.
    CVE-2017-8814

    Language converter could be tricked into replacing text inside tags.
    CVE-2017-8815