[SECURITY] [DLA 4355-1] mediawiki security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4355-1] mediawiki security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Fri, 31 Oct 2025 09:02:33 +0100
Message-id: <[🔎] aQRtGZltkzlNyMs_@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4355-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
October 31, 2025                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : mediawiki
Version        : 1:1.35.13-1+deb11u5
CVE ID         : CVE-2025-11173 CVE-2025-11261 CVE-2025-61635 CVE-2025-61638
                 CVE-2025-61639 CVE-2025-61640 CVE-2025-61641 CVE-2025-61643
                 CVE-2025-61646 CVE-2025-61653 CVE-2025-61655 CVE-2025-61656

Multiple security vulnerabilities were found in mediawiki, a website
engine for collaborative work, that could lead to information
disclosure, denial of service or privilege escalation.

CVE-2025-11173

    OATHAuth extension: Reauthentication for enabling 2FA can be
    bypassed by submitting a form in Special:OATHManage.

CVE-2025-11261

    Stored i18n Cross-site scripting (XSS) vulnerability in
    mw.language.listToText.

CVE-2025-61635

    ConfirmEdit extension: Missing rate limiting in
    ApiFancyCaptchaReload.

CVE-2025-61638

    Parsoid: Validation bypass for `data-` attributes.

CVE-2025-61639

    Log entries which are hidden from the creation of the entry may be
    disclosed to the public recent change entry.

CVE-2025-61640

    Stored i18n Cross-site scripting (XSS) vulnerability in
    Special:RecentChangesLinked.

CVE-2025-61641

    DDoS vulnerability in QueryAllPages API in miser mode.  The
    `maxsize` value is now ignored in that mode.

CVE-2025-61643

    Suppressed recent changes may be disclosed to the public RCFeeds.

CVE-2025-61646

    Public Watchlist/RecentChanges pages may disclose hidden usernames
    when an individual editor makes consecutive revisions on a single
    page, and only some are marked as hidden username.

CVE-2025-61653

    TextExtracts extension: Information disclosure vulnerability in the
    extracts API action endpoint due to missing read permission check.

CVE-2025-61655

    VisualEditor extension: Stored i18n Cross-site scripting (XSS)
    vulnerability in `lastModifiedAt` system messages.

CVE-2025-61656

    VisualEditor extension: Missing attribute validation for attributes
    unwrapped from `data-ve-attributes`.

For Debian 11 bullseye, these problems have been fixed in version
1:1.35.13-1+deb11u5.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4353-1] xorg-server security update
Next by Date: [SECURITY] [DLA 4354-1] pypy3 security update
Previous by thread: [SECURITY] [DLA 4353-1] xorg-server security update
Next by thread: [SECURITY] [DLA 4354-1] pypy3 security update
Index(es):
- Date
- Thread