1 |
type: security |
2 |
subject: Updated mediawiki packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2017-0361 |
5 |
- CVE-2017-0362 |
6 |
- CVE-2017-0363 |
7 |
- CVE-2017-0364 |
8 |
- CVE-2017-0365 |
9 |
- CVE-2017-0366 |
10 |
- CVE-2017-0368 |
11 |
- CVE-2017-0369 |
12 |
- CVE-2017-0370 |
13 |
src: |
14 |
5: |
15 |
core: |
16 |
- mediawiki-1.23.16-1.mga5 |
17 |
description: | |
18 |
API parameters may now be marked as "sensitive" to keep their values out |
19 |
of the logs (CVE-2017-0361). |
20 |
|
21 |
"Mark all pages visited" on the watchlist now requires a CSRF token |
22 |
(CVE-2017-0362). |
23 |
|
24 |
Special:UserLogin and Special:Search allow redirect to interwiki links |
25 |
(CVE-2017-0363, CVE-2017-0364). |
26 |
|
27 |
XSS in SearchHighlighter::highlightText() when |
28 |
$wgAdvancedSearchHighlighting is true (CVE-2017-0365). |
29 |
|
30 |
SVG filter evasion using default attribute values in DTD declaration |
31 |
(CVE-2017-0366). |
32 |
|
33 |
Escape content model/format url parameter in message (CVE-2017-0368). |
34 |
|
35 |
Sysops can undelete pages, although the page is protected against it |
36 |
(CVE-2017-0369). |
37 |
|
38 |
Spam blacklist ineffective on encoded URLs inside file inclusion syntax's |
39 |
link parameter (CVE-2017-0370). |
40 |
references: |
41 |
- https://bugs.mageia.org/show_bug.cgi?id=20654 |
42 |
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html |
43 |
ID: MGASA-2017-0110 |