Date: Tue, 21 Dec 2021 13:41:05 GMT From: Wen Heping <wen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 968c1407f5c2 - main - security/vuxml: Document mediawiki multiple vulnerabilities Message-ID: <202112211341.1BLDf5Bo037074@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by wen: URL: https://cgit.FreeBSD.org/ports/commit/?id=968c1407f5c2e8be8158d0442721812b6eb5df09 commit 968c1407f5c2e8be8158d0442721812b6eb5df09 Author: Wen Heping <wen@FreeBSD.org> AuthorDate: 2021-12-21 13:39:58 +0000 Commit: Wen Heping <wen@FreeBSD.org> CommitDate: 2021-12-21 13:39:58 +0000 security/vuxml: Document mediawiki multiple vulnerabilities --- security/vuxml/vuln-2021.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 4b1ebdbbba0f..05b88cde90cf 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,53 @@ + <vuln vid="0a50bb48-625f-11ec-a1fb-080027cb2f6f"> + <topic>mediawiki -- multiple vulnerabilities</topic> + <affects> + <package> + <name>mediawiki135</name> + <range><lt>1.35.5</lt></range> + </package> + <package> + <name>mediawiki136</name> + <range><lt>1.36.3</lt></range> + </package> + <package> + <name>mediawiki137</name> + <range><lt>1.37.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Mediawiki reports:</p> + <blockquote cite="https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/">; + <p>(T292763. CVE-2021-44854) REST API incorrectly publicly caches + autocomplete search results from private wikis.</p> + <p>(T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via + Special:ChangeContentModel.</p> + <p>(T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to + replace the content of arbitrary pages.</p> + <p> (T297322, CVE-2021-44858) Unauthorized users can view contents of private + wikis using various actions.</p> + <p>(T297574, CVE-2021-45038) Unauthorized users can access private wiki + contents using rollback action</p> + <p>(T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.</p> + <p>(T294686) Special:Nuke doesn't actually delete pages.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-44854</cvename> + <cvename>CVE-2021-44856</cvename> + <cvename>CVE-2021-44857</cvename> + <cvename>CVE-2021-44858</cvename> + <cvename>CVE-2021-45038</cvename> + <cvename>CVE-2021-44855</cvename> + <url>https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/</url>; + </references> + <dates> + <discovery>2021-12-01</discovery> + <entry>2021-12-21</entry> + </dates> + </vuln> + <vuln vid="650734b2-7665-4170-9a0a-eeced5e10a5e"> <topic>graylog -- remote code execution in log4j from user-controlled log input</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112211341.1BLDf5Bo037074>