[Bug 1955352] Re: Vulnerable to information disclosure through various actions
Hey Kunal, thanks again for preparing these debdiffs. After reviewing them, I've gone ahead and uploaded the packages to the ubuntu-security- proposed ppa at https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages to build and run through autopkgtests; any feedback or additional testing you or anyone can give would be greatly appreciated. Thanks again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
Hi Kunal, Thanks for preparing these updates, I'm looking at them now. Apologies that they didn't get picked up earlier. ** Changed in: mediawiki (Ubuntu Bionic) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: mediawiki (Ubuntu Focal) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: mediawiki (Ubuntu Impish) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: mediawiki (Ubuntu Bionic) Status: New => In Progress ** Changed in: mediawiki (Ubuntu Focal) Status: New => In Progress ** Changed in: mediawiki (Ubuntu Impish) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release. ** Changed in: mediawiki (Ubuntu Hirsute) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
** Changed in: mediawiki (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: mediawiki (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: mediawiki (Ubuntu Hirsute) Importance: Undecided => Medium ** Changed in: mediawiki (Ubuntu Impish) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
Version in jammy includes the fixes: mediawiki (1:1.35.5-1) unstable; urgency=high [ Kunal Mehta ] * New upstream version 1.35.5, fixing CVE-2021-44854, CVE-2021-44855, CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038. [ Debian Janitor ] * Remove constraints unnecessary since buster -- Kunal Mehta Thu, 30 Sep 2021 20:42:36 -0700 ** Also affects: mediawiki (Ubuntu Jammy) Importance: Medium Status: New ** Also affects: mediawiki (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: mediawiki (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: mediawiki (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: mediawiki (Ubuntu Focal) Importance: Undecided Status: New ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44854 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44855 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44856 ** Changed in: mediawiki (Ubuntu Jammy) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
** Information type changed from Public to Public Security ** Changed in: mediawiki (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
Removing ~ubuntu-sponsors and subscribing ~ubuntu-security-sponsors, as this should be applied to the security pocket. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
The attachment "impish.debdiff" seems to be a debdiff. The ubuntu- sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
Note the version in bionic is not vulnerable to CVE-2021-44857 nor CVE-2021-45038. ** Patch added: "bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+attachment/5548616/+files/bionic.debdiff ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44858 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
Note that the version in focal is not vulnerable to CVE-2021-44857 nor CVE-2021-45038. ** Patch added: "focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+attachment/5548615/+files/focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
** Patch added: "debdiff for hirsute" https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+attachment/5548614/+files/hirsute.debdiff ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44857 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45038 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
debdiff for impish ** Patch added: "impish.debdiff" https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+attachment/5548613/+files/impish.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs