[Git][security-tracker-team/security-tracker][master] more mediawiki issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Jun 30 20:09:42 BST 2026



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aff7df9d by Moritz Muehlenhoff at 2026-06-30T21:09:16+02:00
more mediawiki issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,24 +1,59 @@
+CVE-2026-58030 [Escape linelinks argument before passing it on to Pygments]
+	- mediawiki <unfixed>
+	NOTE: https://phabricator.wikimedia.org/T427167
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SyntaxHighlight_GeSHi/+/1306180 (master)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SyntaxHighlight_GeSHi/+/1306191 (REL1_43)
+CVE-2026-58027 [Hide hit count for private/protected filters in API]
+	- mediawiki <unfixed>
+	NOTE: https://phabricator.wikimedia.org/T406954
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1306182 (master)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1306181 (REL1_43)
+CVE-2026-58025 [Safely unserialize log entry parameters]
+	- mediawiki <unfixed>
+	NOTE: https://phabricator.wikimedia.org/T422244
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306343 (master)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306363 (REL1_43)
+CVE-2026-58037 [LogFormatter: 'raw' parameter format is no longer raw HTML]
+	- mediawiki <unfixed>
+	NOTE: https://phabricator.wikimedia.org/T422995
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306232 (master)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306314 (REL1_43)
+CVE-2026-58029 [Check for editmyprivateinfo right in more places]
+	- mediawiki <unfixed>
+	NOTE: http://phabricator.wikimedia.org/T422676
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306215 (master)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306313 (REL1_43)
+CVE-2026-58024 [Restrict interwiki user lookup in ApiUserrights]
+	- mediawiki <unfixed>
+	NOTE: https://phabricator.wikimedia.org/T422085
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1268588 (master)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306312 (REL1_43)
+CVE-2026-58026 [Make sure the actual title that's being transcluded is includable]
+	- mediawiki <unfixed>
+	NOTE: http://phabricator.wikimedia.org/T299359
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306214 (master)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306311 (REL1_43)
 CVE-2026-58032 [mw.Api.getErrorMessage: Treat formatversion=1 as text]
 	- mediawiki <unfixed>
 	NOTE: https://phabricator.wikimedia.org/T426867
-	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306213 (main)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306213 (master)
 	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306310 (REL1_43)
 CVE-2026-58033 [Exclude rev-deleted usernames from distinct authors query]
 	- mediawiki <unfixed>
 	NOTE: https://phabricator.wikimedia.org/T427235
-	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306212 (main)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306212 (master)
 	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306309 (REL1_43)
 CVE-2026-58028 [Disallow user JS in pretty-print api.php responses]
 	- mediawiki <unfixed>
 	NOTE: http://phabricator.wikimedia.org/T422306
-	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306211 (main)
-	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306216 (main)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306211 (master)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306216 (master)
 	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306308 (REL1_43)
 	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1306320 (REL1_43)
 CVE-2026-58036 [Fix ApiQueryUsers leaking status ofprivate user conditions for user]
 	- mediawiki <not-affected> (Only affects 1.46 and later)
 	NOTE: https://phabricator.wikimedia.org/T425406
-	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306035 (main)
+	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1306035 (master)
 CVE-2026-13766
 	NOT-FOR-US: DBIx::QuickORM Perl module
 CVE-2026-57082


=====================================
data/dsa-needed.txt
=====================================
@@ -57,6 +57,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+mediawiki
+--
 netty
 --
 nginx (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aff7df9d0486dcc48f44e39997e98867073dc3ff

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aff7df9d0486dcc48f44e39997e98867073dc3ff
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260630/74c1744f/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list