Debian Local Security Checks : Debian: Security Advisory (DLA-2648-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.892648

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DLA-2648-1)

Summary: The remote host is missing an update for the Debian 'mediawiki' package(s) announced via the DLA-2648-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'mediawiki' package(s) announced via the DLA-2648-1 advisory.

Vulnerability Insight:
Several vulnerabilities were discovered in mediawiki, a wiki website engine for collaborative work.

CVE-2021-20270

An infinite loop in SMLLexer in Pygments used by mediawiki as one if its lexers may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the exception keyword.

CVE-2021-27291

pygments, the lexers used by mediawiki rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

CVE-2021-30152

An issue was discovered in MediaWiki. When using the MediaWiki API to protect a page, a user is currently able to protect to a higher level than they currently have permissions for.

CVE-2021-30155

An issue was discovered in MediaWiki before. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.

CVE-2021-30158

An issue was discovered in MediaWiki. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.

CVE-2021-30159

An issue was discovered in MediaWiki. Users can bypass intended restrictions on deleting pages in certain fast double move situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.

For Debian 9 stretch, these problems have been fixed in version 1:1.27.7-1~
deb9u8.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to its security tracker page at: [link moved to references]

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]

Affected Software/OS:
'mediawiki' package(s) on Debian 9.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2021-20270
Debian Security Information: DSA-4889 (Google Search)
https://www.debian.org/security/2021/dsa-4889
https://bugzilla.redhat.com/show_bug.cgi?id=1922136
https://www.oracle.com/security-alerts/cpuoct2021.html
https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-27291
Debian Security Information: DSA-4878 (Google Search)
https://www.debian.org/security/2021/dsa-4878
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-30152
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
https://security.gentoo.org/glsa/202107-40
https://phabricator.wikimedia.org/T270713
Common Vulnerability Exposure (CVE) ID: CVE-2021-30155
https://phabricator.wikimedia.org/T270988
Common Vulnerability Exposure (CVE) ID: CVE-2021-30158
https://phabricator.wikimedia.org/T277009
Common Vulnerability Exposure (CVE) ID: CVE-2021-30159
https://phabricator.wikimedia.org/T272386

Copyright Copyright (C) 2021 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.892648
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-2648-1)
Summary:	The remote host is missing an update for the Debian 'mediawiki' package(s) announced via the DLA-2648-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'mediawiki' package(s) announced via the DLA-2648-1 advisory. Vulnerability Insight: Several vulnerabilities were discovered in mediawiki, a wiki website engine for collaborative work. CVE-2021-20270 An infinite loop in SMLLexer in Pygments used by mediawiki as one if its lexers may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the exception keyword. CVE-2021-27291 pygments, the lexers used by mediawiki rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. CVE-2021-30152 An issue was discovered in MediaWiki. When using the MediaWiki API to protect a page, a user is currently able to protect to a higher level than they currently have permissions for. CVE-2021-30155 An issue was discovered in MediaWiki before. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. CVE-2021-30158 An issue was discovered in MediaWiki. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. CVE-2021-30159 An issue was discovered in MediaWiki. Users can bypass intended restrictions on deleting pages in certain fast double move situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master. For Debian 9 stretch, these problems have been fixed in version 1:1.27.7-1~ deb9u8. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: [link moved to references] Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references] Affected Software/OS: 'mediawiki' package(s) on Debian 9. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-20270 Debian Security Information: DSA-4889 (Google Search) https://www.debian.org/security/2021/dsa-4889 https://bugzilla.redhat.com/show_bug.cgi?id=1922136 https://www.oracle.com/security-alerts/cpuoct2021.html https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html Common Vulnerability Exposure (CVE) ID: CVE-2021-27291 Debian Security Information: DSA-4878 (Google Search) https://www.debian.org/security/2021/dsa-4878 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/ https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html Common Vulnerability Exposure (CVE) ID: CVE-2021-30152 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/ https://security.gentoo.org/glsa/202107-40 https://phabricator.wikimedia.org/T270713 Common Vulnerability Exposure (CVE) ID: CVE-2021-30155 https://phabricator.wikimedia.org/T270988 Common Vulnerability Exposure (CVE) ID: CVE-2021-30158 https://phabricator.wikimedia.org/T277009 Common Vulnerability Exposure (CVE) ID: CVE-2021-30159 https://phabricator.wikimedia.org/T272386
Copyright	Copyright (C) 2021 Greenbone AG