Package: mediawiki | Debian Sources

Package: mediawiki / 1:1.31.16-1+deb10u2

Metadata

Package	Version	Patches format
mediawiki	1:1.31.16-1+deb10u2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
pear phail fail shebang.diff \| (download)	vendor/pear/mail_mime/scripts/phail.php \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	fix shebang in vendor/pear/mail_mime/scripts/phail.php
0002 SECURITY Fix permissions checks in undo action CVE 2.patch \| (download)	includes/EditPage.php \| 6 4 + 2 - 0 ! 1 file changed, 4 insertions(+), 2 deletions(-)	security: fix permissions checks in undo action (cve-2021-44858) The traditional action=edit&undo= endpoint suffers from a flaw that allows for leaking entire private wikis by enumerating through revision IDs when at least one page was publicly accessible via $wgWhitelistRead. 05f06286f4def removed the restriction that user-supplied undo IDs belong ot the same page. This check has been restored by using RevisionLookup::getRevisionByTitle(), which returns null if the revid is
0003 SECURITY Require read right for most actions.patch \| (download)	includes/MediaWiki.php \| 5 5 + 0 - 0 ! includes/actions/Action.php \| 10 10 + 0 - 0 ! includes/actions/ViewAction.php \| 6 6 + 0 - 0 ! 3 files changed, 21 insertions(+)	security: require 'read' right for most actions As a security hardening measure to limit exposure on private wikis from actions on $wgWhitelistRead pages, require an explicit 'read' right on actions by default. Currently only ViewAction disables this check since it does its own permissions checking. This is somewhat duplicative of the permissions check in MediaWiki::performRequest() but we'll call it defense in depth. It also matches similar logic in the Action and REST APIs. Bug: T34716 Bug: T297416

Patch

File delta

Description

pear phail fail shebang.diff | (download)

vendor/pear/mail_mime/scripts/phail.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix shebang in vendor/pear/mail_mime/scripts/phail.php

0002 SECURITY Fix permissions checks in undo action CVE 2.patch | (download)

includes/EditPage.php | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

security: fix permissions checks in undo action (cve-2021-44858)

The traditional action=edit&undo= endpoint suffers from a flaw that
allows for leaking entire private wikis by enumerating through revision
IDs when at least one page was publicly accessible via $wgWhitelistRead.

05f06286f4def removed the restriction that user-supplied undo IDs belong
ot the same page. This check has been restored by using
RevisionLookup::getRevisionByTitle(), which returns null if the revid is

0003 SECURITY Require read right for most actions.patch | (download)

includes/MediaWiki.php | 5 5 + 0 - 0 !
includes/actions/Action.php | 10 10 + 0 - 0 !
includes/actions/ViewAction.php | 6 6 + 0 - 0 !
3 files changed, 21 insertions(+)

 security: require 'read' right for most actions

As a security hardening measure to limit exposure on private wikis from
actions on $wgWhitelistRead pages, require an explicit 'read' right on
actions by default. Currently only ViewAction disables this check since
it does its own permissions checking.

This is somewhat duplicative of the permissions check in
MediaWiki::performRequest() but we'll call it defense in depth. It also
matches similar logic in the Action and REST APIs.

Bug: T34716
Bug: T297416