[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2504-1] mediawiki security update

Debian LTS Advisory DLA-2504-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                  Roberto C. Sánchez
December 22, 2020                             https://wiki.debian.org/LTS

Package        : mediawiki
Version        : 1:1.27.7-1~deb9u7
CVE ID         : CVE-2020-15005 CVE-2020-35477 CVE-2020-35479 CVE-2020-35480

Multiple security issues were discovered in MediaWiki, a website engine
for collaborative work.


    Private wikis behind a caching server using the img_auth.php image
    authorization security feature may have had their files cached
    publicly, so any unauthorized user could view them.


    Blocks legitimate attempts to hide log entries in some situations.


    Allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry
    itself does not escape in all code paths. For example, the return of
    Language::userTimeAndDate is is always unsafe for HTML in a month


    Missing users (accounts that don't exist) and hidden users (accounts
    that have been explicitly hidden due to being abusive, or similar)
    that the viewer cannot see are handled differently, exposing
    sensitive information about the hidden status to unprivileged

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: