[Git][security-tracker-team/security-tracker][master] more mediawiki issues
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Jun 30 20:09:42 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
aff7df9d by Moritz Muehlenhoff at 2026-06-30T21:09:16+02:00
more mediawiki issues
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,24 +1,59 @@
+CVE-2026-58030 [Escape linelinks argument before passing it on to Pygments]
+ - mediawiki <unfixed>
+ NOTE: https://phabricator.wikimedia.org/T427167
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SyntaxHighlight_GeSHi/+/1306180 (master)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SyntaxHighlight_GeSHi/+/1306191 (REL1_43)
+CVE-2026-58027 [Hide hit count for private/protected filters in API]
+ - mediawiki <unfixed>
+ NOTE: https://phabricator.wikimedia.org/T406954
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1306182 (master)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1306181 (REL1_43)
+CVE-2026-58025 [Safely unserialize log entry parameters]
+ - mediawiki <unfixed>
+ NOTE: https://phabricator.wikimedia.org/T422244
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306343 (master)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306363 (REL1_43)
+CVE-2026-58037 [LogFormatter: 'raw' parameter format is no longer raw HTML]
+ - mediawiki <unfixed>
+ NOTE: https://phabricator.wikimedia.org/T422995
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306232 (master)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306314 (REL1_43)
+CVE-2026-58029 [Check for editmyprivateinfo right in more places]
+ - mediawiki <unfixed>
+ NOTE: http://phabricator.wikimedia.org/T422676
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306215 (master)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306313 (REL1_43)
+CVE-2026-58024 [Restrict interwiki user lookup in ApiUserrights]
+ - mediawiki <unfixed>
+ NOTE: https://phabricator.wikimedia.org/T422085
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1268588 (master)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306312 (REL1_43)
+CVE-2026-58026 [Make sure the actual title that's being transcluded is includable]
+ - mediawiki <unfixed>
+ NOTE: http://phabricator.wikimedia.org/T299359
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306214 (master)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306311 (REL1_43)
CVE-2026-58032 [mw.Api.getErrorMessage: Treat formatversion=1 as text]
- mediawiki <unfixed>
NOTE: https://phabricator.wikimedia.org/T426867
- NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306213 (main)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306213 (master)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306310 (REL1_43)
CVE-2026-58033 [Exclude rev-deleted usernames from distinct authors query]
- mediawiki <unfixed>
NOTE: https://phabricator.wikimedia.org/T427235
- NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306212 (main)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306212 (master)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306309 (REL1_43)
CVE-2026-58028 [Disallow user JS in pretty-print api.php responses]
- mediawiki <unfixed>
NOTE: http://phabricator.wikimedia.org/T422306
- NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306211 (main)
- NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306216 (main)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306211 (master)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306216 (master)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306308 (REL1_43)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306320 (REL1_43)
CVE-2026-58036 [Fix ApiQueryUsers leaking status ofprivate user conditions for user]
- mediawiki <not-affected> (Only affects 1.46 and later)
NOTE: https://phabricator.wikimedia.org/T425406
- NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306035 (main)
+ NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306035 (master)
CVE-2026-13766
NOT-FOR-US: DBIx::QuickORM Perl module
CVE-2026-57082
=====================================
data/dsa-needed.txt
=====================================
@@ -57,6 +57,8 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more 6.1.y versions
--
+mediawiki
+--
netty
--
nginx (carnil)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aff7df9d0486dcc48f44e39997e98867073dc3ff
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aff7df9d0486dcc48f44e39997e98867073dc3ff
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260630/74c1744f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list