Operating System:

[Debian]

Published:

05 October 2022

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4924
                         mediawiki security update
                              5 October 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mediawiki
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-41767 CVE-2022-41765 CVE-2022-34912
                   CVE-2022-34911 CVE-2022-31091 CVE-2022-31090
                   CVE-2022-31043 CVE-2022-31042 CVE-2022-29248
                   CVE-2022-28203 CVE-2022-28202 CVE-2022-28201
                   CVE-2021-44856 CVE-2021-44855 CVE-2021-44854

Original Bulletin: 
   http://www.debian.org/security/2022/dsa-5246

Comment: CVSS (Max):  8.1* CVE-2022-29248 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
         CVSS Source: [NVD], Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5246-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 04, 2022                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2021-44854 CVE-2021-44855 CVE-2021-44856 CVE-2022-28201 
                 CVE-2022-28202 CVE-2022-28203 CVE-2022-29248 CVE-2022-31042 
                 CVE-2022-31043 CVE-2022-31090 CVE-2022-31091 CVE-2022-34911 
                 CVE-2022-34912 CVE-2022-41765 CVE-2022-41767

Multiple security issues were discovered in MediaWiki, a website engine
for collaborative work, which could result in restriction bypass,
information leaks, cross-site scripting or denial of service.

For the stable distribution (bullseye), these problems have been fixed in
version 1:1.35.8-1~deb11u1.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmM8gAYACgkQEMKTtsN8
TjZF9Q//Q4aOymd80Qw9dwB9MwCCVE26XSQrIJoANebX+AA4LMcXNpSj1GydUtnk
zmbbZFD/JJHAphGCXswMeAlXzb4H6nH8YBehkxGMOFTLHESwSuKHHfkxWiIt+Btc
HDJI2YwYYJQZT/DWTY1/VJP1A4yBgh+dOhx9GsuHLKNY8YjO0lwtFzHa2IELKF8v
rgqg/VuQb/mzumEbI6SQXW7fUE3C/Afg9V9Y7v/f5ELXUkhGgaFDTEjpiB3ZN7GY
jEwGboRIRATrjz51uu+pGP65ktpOtVb0azfblPaov8elCSjDtwL5BP5xCDk9s1YS
iPoDyMnHTQDVx7C3hLPHMAGSWiMyqtTSZUXuBarCxvlvoldhvwxjrYtFDL6SsTQc
rFHz1wdbka6HXFhVQ8gfAnI3mpMtnI5hikWWSX7bca1L+zKZcFHk1UXRLzm/4FdA
HjkiyKjUyF8bKnIbonnskcLz6gELAcDU74GvDQLIBZlXSbOv9Sl670TJXa0M0JAs
h7tYtiApHSePQ/0vC/dGT+bVkWWdthOdmMyBFlU7Qx9DG++UqWKkPJjF+4saZbdW
e6yCFXY6l7+2fbAbV+lu2n193Ti2zcO8H5+7fu5TdA/GPsJH8S8C4jsLqIBS1xjq
EzwZJuNHnfbHYx7HkudGEnixsFwB8uV0Sg46XDfZwVWmc9mjWhY=
=8xpB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYzznaskNZI30y1K9AQgB0Q/+PKcGoynDI46+IaGY9Ikr5u04cZv8vpLw
WGu6ftupIFMbWWg2QKnh5JuT8Fz2txVA/x61T8ys98hdx5JOji4ZscpU9+N/s3at
abmM5xbrBzzLSzu4QL5D74YMIm6CbkQUUvs0qxJU9pe2R1FRdnDSYAO7sPt1aDOX
YCTtPydsbT2EFn9LQeA5hQSjau4zzSJldQVSshubsMM63aJQ/h63o5EzlTO6zi5s
s62sX7B6Nexf8AZOznNNioPKdc0tt0JI8x4+JysiwB7wBVcqMYH+iO0f1ONLDMzJ
3TZi9ex8yUonnP6SymCMqo6nIxXRVKxA/wDsVXCVrI9tlHasVIpgCDlL59Vx4RG6
vA1DfSrkDZCr8qOIHWVxAYNNI39v8TCnrO+SoWKzpT6GEwnS+BSzZ+Ft1T+Zbb1K
bbRMv8Ub93S9oXEthTMEvcqdnC+qxqGmH8paYK++kX2dtHlTmMhVafVev2KKyvI1
vX+oLL6mksaTwhzM9j4IrZxQUV4DGdHHbD85rplJn2UFMaT2KgbOlgwFWNwnXARi
v4BDEidxVPjVQyUDP3Z8QdJiOaj4EdTIflhE2nV6+/xF6fbYZ14UR0bOQSNXKCwq
4uuGvrxGl+SDPPxJCCci4Wj7Q/moyKE/PG5TS8x19v82JIQKWnJJrB8QcfikkOwx
ou3dTJAgOjs=
=hDxh
-----END PGP SIGNATURE-----