[Git][security-tracker-team/security-tracker][master] auto-nfu: Add Wikimedia rule

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Oct 21 23:11:27 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
06d3f8df by Moritz Muehlenhoff at 2025-10-22T00:10:58+02:00
auto-nfu: Add Wikimedia rule

- - - - -


2 changed files:

- data/CVE/list
- data/packages/nfu.yaml


Changes:

=====================================
data/CVE/list
=====================================
@@ -306,17 +306,17 @@ CVE-2025-6542 (An arbitrary OS command may be executed on the product by a remot
 CVE-2025-6541 (An arbitrary OS command may be executed on the product by the user who ...)
 	NOT-FOR-US: TP-Link
 CVE-2025-62702 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-62701 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-62699 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-62696 (Improper Neutralization of Special Elements used in a Command ('Comman ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-62695 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-62694 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-62684
 	REJECTED
 CVE-2025-62683
@@ -334,11 +334,11 @@ CVE-2025-62678
 CVE-2025-62677
 	REJECTED
 CVE-2025-62658 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-62657 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-62656 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-61303 (Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows ...)
 	NOT-FOR-US: Hatching Triage Sandbox
 CVE-2025-61301 (Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py i ...)
@@ -353,7 +353,7 @@ CVE-2025-54764 (Mbed TLS before 3.6.5 allows a local timing attack against certa
 CVE-2025-26392 (SolarWinds Observability Self-Hosted is susceptible to SQL injection v ...)
 	NOT-FOR-US: SolarWinds
 CVE-2025-12004 (Incorrect Permission Assignment for Critical Resource vulnerability in ...)
-	TODO: check
+	NOT-FOR-US: MediaWiki extensions/skins not packaged in Debian
 CVE-2025-12001 (Lack of application manifest sanitation could lead to potential stored ...)
 	NOT-FOR-US: Azure Access Technology
 CVE-2025-11949 (EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing  ...)


=====================================
data/packages/nfu.yaml
=====================================
@@ -539,6 +539,19 @@
       - product: System Information Reporter
       - product: Trellix Endpoint Security (HX) Agent
       - product: Trellix HX Console
+- reason: MediaWiki extensions/skins not packaged in Debian
+  allOf:
+    - cna: wikimedia-foundation
+    - anyOf:
+      - product: MediaWiki GlobalBlocking extension
+      - product: MediaWiki PageForms extension
+      - product: MediaWiki WatchAnalytics extension
+      - product: Mediawiki - Lockdown Extension
+      - product: Mediawiki - PageTriage Extension
+      - product: Mediawiki - Translate Extension
+      - product: Mediawiki - WikiLambda Extension
+      - product: Mediawiki - WikiLove Extension
+      - product: Mediawiki - Wikistories
 # Description based rules
 - reason: Advantech
   description: '.*\bAdvantech\b.*'



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06d3f8df7970ec4c1f92a7d16f43eec7b705ba55

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06d3f8df7970ec4c1f92a7d16f43eec7b705ba55
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251021/7a6704af/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list