-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2648-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA May 05, 2021 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : mediawiki Version : 1:1.27.7-1~deb9u8 CVE ID : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30155 CVE-2021-30158 CVE-2021-30159 Debian Bug : 985574 984664 Several vulnerabilities were discovered in mediawiki, a wiki website engine for collaborative work. CVE-2021-20270 An infinite loop in SMLLexer in Pygments used by mediawiki as one if its lexers may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. CVE-2021-27291 pygments, the lexers used by mediawiki rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. CVE-2021-30152 An issue was discovered in MediaWiki. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for. CVE-2021-30155 An issue was discovered in MediaWiki before. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. CVE-2021-30158 An issue was discovered in MediaWiki. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. CVE-2021-30159 An issue was discovered in MediaWiki. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master. For Debian 9 stretch, these problems have been fixed in version 1:1.27.7-1~deb9u8. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmCSMIUACgkQhj1N8u2c KO+tbQ//V/7ZNA69utHLBwKZSwIgMO8qK/ZpS+tPLjXUyECZU2AO7116PiO4Vzx0 qrMJktxszh4vzbYfdVVtemO3DFpNY5rf8m4hyAvbmXSu5aoZF4xqKm9rCk/KwARy +943iy3D609DogqpFkZQBHQLmVCQoRvjj7NKFD67puGqhVAya7qD+sVnF4qzl1dP mRJhpWQoDS8hNmRCkUUJnb9p5Usax2lri8ybdd8PFSA3kOSdzRkarObvggIk/cBc Ga8CFmmak+FAAiCH8jWr4dodxR4ni7eCdYkooeazPWE8FY+GzfAdRlR9s6/jLPkZ DE4nCbSBIBw2GD2XM+oVl8YPz3Xer8drPvqMVMXkKUO4jtB/shvHjHKemC3Atdw/ qAtHZQY4h7B/HBYBqqlM4NCdxhf+YEAJL9W8uUO63TUu1VF7uQx8iMRBOxeJ8X/Q 0HhXNYeoBJ/Pwx/fl8BfHvMnYObW7hFmXuUeunMkRJQK5kjZyiopbX+y5qllvRkj 5ZRBinF0ojnSfRDRbBh0PEcFdsSoUblqmXvBnvFzfP5vXTe1XoPPfc7PwlJ6gFqz 4Lagjh9F56YcsrlD6PFlm3VLcQQZhkYJdj5qk1sVOTKrJzxQGfZnU5VqcL6BsE6T Cn5WHEwPQPBXzMo+xckXqNOO9QrRXWxubVMmOfmgLFhlXlXNhdU= =ChxD -----END PGP SIGNATURE-----