[Git][security-tracker-team/security-tracker][master] two mediawiki issues CVEfied

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8f1a7b95 by Moritz Muehlenhoff at 2024-05-06T12:23:03+02:00
two mediawiki issues CVEfied

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -23,9 +23,18 @@ CVE-2024-34508 (dcmnet in DCMTK before 3.6.9 has a segmentation fault via an inv
 	NOTE: https://support.dcmtk.org/redmine/issues/1114
 	NOTE: https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5
 CVE-2024-34507 (An issue was discovered in includes/CommentFormatter/CommentParser.php ...)
-	TODO: check
+	- mediawiki 1:1.39.7-1
+	[bookworm] - mediawiki 1:1.39.7-1~deb12u1
+	[bullseye] - mediawiki <not-affected> (Vulnerable code not present, introduced in 1.38)
+	[buster] - mediawiki <not-affected> (Vulnerable code not present, introduced in 1.38)
+	NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/
+	NOTE: https://phabricator.wikimedia.org/T355538
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1015422
 CVE-2024-34506 (An issue was discovered in includes/specials/SpecialMovePage.php in Me ...)
-	TODO: check
+	- mediawiki 1:1.39.7-1
+	NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/
+	NOTE: https://phabricator.wikimedia.org/T357760
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1015423
 CVE-2024-34502 (An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6,  ...)
 	NOT-FOR-US: MediaWiki extension WikibaseLexeme
 CVE-2024-34500 (An issue was discovered in the UnlinkedWikibase extension in MediaWiki ...)
@@ -12480,22 +12489,6 @@ CVE-2020-36828 (A vulnerability was found in DiscuzX up to 3.4-20200818. It has
 	NOT-FOR-US: DiscuzX
 CVE-2017-20191 (A vulnerability was found in Zimbra zm-admin-ajax up to 8.8.1. It has  ...)
 	NOT-FOR-US: Zimbra
-CVE-2024-XXXX [mediawiki: XSS in edit summary parser]
-	- mediawiki 1:1.39.7-1
-	[bookworm] - mediawiki 1:1.39.7-1~deb12u1
-	[bullseye] - mediawiki <not-affected> (Vulnerable code not present, introduced in 1.38)
-	[buster] - mediawiki <not-affected> (Vulnerable code not present, introduced in 1.38)
-	NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/
-	NOTE: https://phabricator.wikimedia.org/T355538
-	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1015422
-CVE-2024-XXXX [mediawiki:  Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages]
-	- mediawiki 1:1.39.7-1
-	[bookworm] - mediawiki 1:1.39.7-1~deb12u1
-	[bullseye] - mediawiki 1:1.35.13-1+deb11u2
-	[buster] - mediawiki 1:1.31.16-1+deb10u8
-	NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/
-	NOTE: https://phabricator.wikimedia.org/T357760
-	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1015423
 CVE-2024-3118 (A vulnerability, which was classified as critical, has been found in D ...)
 	NOT-FOR-US: Dreamer CMS
 CVE-2024-3117 (A vulnerability classified as critical was found in YouDianCMS up to 9 ...)


=====================================
data/DLA/list
=====================================
@@ -37,7 +37,7 @@
 	{CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949}
 	[buster] - frr 7.5.1-1.1+deb10u2
 [27 Apr 2024] DLA-3796-1 mediawiki - security update
-	{CVE-2023-51704}
+	{CVE-2023-51704 CVE-2024-34506}
 	[buster] - mediawiki 1:1.31.16-1+deb10u8
 [26 Apr 2024] DLA-3795-1 knot-resolver - security update
 	{CVE-2019-10190 CVE-2019-10191 CVE-2019-19331 CVE-2020-12667}


=====================================
data/DSA/list
=====================================
@@ -98,6 +98,7 @@
 	{CVE-2022-44900}
 	[bullseye] - py7zr 0.11.3+dfsg-1+deb11u1
 [31 Mar 2024] DSA-5651-1 mediawiki - security update
+	{CVE-2024-34506}
 	[bullseye] - mediawiki 1:1.35.13-1+deb11u2
 	[bookworm] - mediawiki 1:1.39.7-1~deb12u1
 [31 Mar 2024] DSA-5650-1 util-linux - security update



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f1a7b9558c5ffaa58b6ef6333ee9713e39a75c4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f1a7b9558c5ffaa58b6ef6333ee9713e39a75c4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240506/96ebea68/attachment-0001.htm>