Operating System:

[UNIX/Linux][Debian]

Published:

05 October 2021

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2021.3281 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3281
                         mediawiki security update
                              5 October 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mediawiki
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service    -- Remote/Unauthenticated      
                   Cross-site Scripting -- Remote with User Interaction
                   Reduced Security     -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-41801 CVE-2021-41800 CVE-2021-41799
                   CVE-2021-41798 CVE-2021-35197 

Original Bulletin: 
   http://www.debian.org/security/2021/dsa-4979

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running mediawiki check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4979-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 01, 2021                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2021-35197 CVE-2021-41798 CVE-2021-41799 CVE-2021-41800 
                 CVE-2021-41801

Multiple security issues were found in MediaWiki, a website engine for
collaborative work, which could result in cross-site scripting,
denial of service and a bypass of restrictions in the "Replace Text"
extension.

For the oldstable distribution (buster), these problems have been fixed
in version 1:1.31.16-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 1:1.35.4-1~deb11u1.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmFXTsgACgkQEMKTtsN8
Tjb6SA/+Lj0PT3hznUgdPeOAY8Wobgm6n/PjLKq3vTwwGT8YpHDb60uBVXQsgWxe
Smp8Nu7gWQ1izxMNovb/gn+Hmt5p6KqkOHrD7PFYnWIZ8Q/0ZGGtnRSVCPD6Pqx0
agxh/9sfItyIaer3nMtuQYMa7VFb1jc2LHxQZzlzuySKAgiDXjyK/FnXts/8mFwC
1GtIejWQtrnQzgG66rtG6hzrf8igCE/+fvcF9mFZXQkQzF1hyPIdTXU/XrBgU438
LUKYxWCscZYt2ngTlrkp3SGzucoeWMutI7rQq5gyt/jStnXCb4clbGlrdGSK3c87
qVi3y2eScDuKiJqGhVW3mMGW4oYRpSARS6ulZ6tOCzuPim4x8nHyHSJa5qBhZGSk
wh2YBcrvwEqkXH8GVJP50qIN7yRDSZN4M4GaN5s9AYNEC0A5Jd45Kn4Ha+i45/8V
dg8NvP4WuFdKs7wJqwcZ8PeLyYCuYyA3jrDuOlPCfQyq6ZVu8FpoWg3v4r7zarYG
7NMmdKHT0aQcAy2aj1VqjdEZ1cD30puHAvYoIAQosg78gKQw9lsuaMbfb9ZOvPGG
0WAv1swL19sGrCg2nls+NZKdIuBHxK/Q8PBxJR+HPkGJ4TG8VmEtttj5tPzmmAsK
TSeGm/vEn0gXLqUWzG/GghDRM6PMeHDVPTgupitB38u7j1B2Yno=
=01Oa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYVvQvuNLKJtyKPYoAQi5+g//YXv3NB3Z6bXgvLU5XkZbgh30lYdUYQbw
UYNx0qFvfO467EkzzvL6F2Sch9cBPWJsSkinIoo0q4gueLmbM3KMpMbf8BjJDp3R
3ai/embhJLcH7lb/CD8F0yI7/3RBvlx3nTaBROFViIWdbxnG65S4CyClu5syYHO8
o+IiwxsJ5cMH2MVLSBHVLAoqDVIp7UtuU14St99eirlkUxiMUAw6G1zmC3Mr08T4
an2TCO6UbIQ4DFC6IhREw+8CaC+dAswSPFM8TqK+LBWWZG60x10JKI/DJgZYnDbn
uoOtEiWvAY6DXmi9/v1gZfxDk9iXhinOI8dVorijH8Rk6T1bxS14dnu6letuIsWX
uMDHGu7QyV2qvcLkM+KnWFfl+SlRSLbPDsoNgkMnYmPPb2y3odKlpbMod8AyuUF9
hNL59EO7qhXGntWW6NZrKR4d1EbrxLWUwNGIl11UIGExwQy4KaR76ZtsQGO8Pikd
bmmjl7ogvxWZ8XSrcfmFxKJts2GP/FC78IM+M8hJyVdqd7TNAX3sCuiKt5J+7pTa
TESAb2XMcmGDqDpeCsN6/iBvDna24us+TGTL8zErZWczb/nuVklKgY9VbKcvbtwz
rpocJh3TlZCFQvao6JDAOgFXoZLiPmBP2V9mzgY0QsiGuDNvNqLLH/jJ1ehxGxUG
4ISwPk0sHG4=
=IrQI
-----END PGP SIGNATURE-----