Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aff7df9d by Moritz Muehlenhoff at 2026-06-30T21:09:16+02:00
more mediawiki issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,24 +1,59 @@
+CVE-2026-58030 [Escape linelinks argument before passing it on to Pygments]
+       - mediawiki <unfixed>
+       NOTE: https://phabricator.wikimedia.org/T427167
+       NOTE: 
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SyntaxHighlight_GeSHi/+/1306180
 (master)
+       NOTE: 
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SyntaxHighlight_GeSHi/+/1306191
 (REL1_43)
+CVE-2026-58027 [Hide hit count for private/protected filters in API]
+       - mediawiki <unfixed>
+       NOTE: https://phabricator.wikimedia.org/T406954
+       NOTE: 
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1306182 
(master)
+       NOTE: 
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1306181 
(REL1_43)
+CVE-2026-58025 [Safely unserialize log entry parameters]
+       - mediawiki <unfixed>
+       NOTE: https://phabricator.wikimedia.org/T422244
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306343 (master)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306363 
(REL1_43)
+CVE-2026-58037 [LogFormatter: 'raw' parameter format is no longer raw HTML]
+       - mediawiki <unfixed>
+       NOTE: https://phabricator.wikimedia.org/T422995
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306232 (master)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306314 
(REL1_43)
+CVE-2026-58029 [Check for editmyprivateinfo right in more places]
+       - mediawiki <unfixed>
+       NOTE: http://phabricator.wikimedia.org/T422676
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306215 (master)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306313 
(REL1_43)
+CVE-2026-58024 [Restrict interwiki user lookup in ApiUserrights]
+       - mediawiki <unfixed>
+       NOTE: https://phabricator.wikimedia.org/T422085
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1268588 (master)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306312 
(REL1_43)
+CVE-2026-58026 [Make sure the actual title that's being transcluded is 
includable]
+       - mediawiki <unfixed>
+       NOTE: http://phabricator.wikimedia.org/T299359
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306214 (master)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306311 
(REL1_43)
 CVE-2026-58032 [mw.Api.getErrorMessage: Treat formatversion=1 as text]
        - mediawiki <unfixed>
        NOTE: https://phabricator.wikimedia.org/T426867
-       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306213 (main)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306213 (master)
        NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306310 
(REL1_43)
 CVE-2026-58033 [Exclude rev-deleted usernames from distinct authors query]
        - mediawiki <unfixed>
        NOTE: https://phabricator.wikimedia.org/T427235
-       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306212 (main)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306212 (master)
        NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306309 
(REL1_43)
 CVE-2026-58028 [Disallow user JS in pretty-print api.php responses]
        - mediawiki <unfixed>
        NOTE: http://phabricator.wikimedia.org/T422306
-       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306211 (main)
-       NOTE: 
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306216 
(main)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306211 (master)
+       NOTE: 
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306216 
(master)
        NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306308 
(REL1_43)
        NOTE: 
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306320 
(REL1_43)
 CVE-2026-58036 [Fix ApiQueryUsers leaking status ofprivate user conditions for 
user]
        - mediawiki <not-affected> (Only affects 1.46 and later)
        NOTE: https://phabricator.wikimedia.org/T425406
-       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306035 (main)
+       NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306035 (master)
 CVE-2026-13766
        NOT-FOR-US: DBIx::QuickORM Perl module
 CVE-2026-57082


=====================================
data/dsa-needed.txt
=====================================
@@ -57,6 +57,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+mediawiki
+--
 netty
 --
 nginx (carnil)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aff7df9d0486dcc48f44e39997e98867073dc3ff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aff7df9d0486dcc48f44e39997e98867073dc3ff
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to