{"id":"MGASA-2017-0429","summary":"Updated mediawiki packages fix security vulnerabilities","details":"XSS when $wgShowExceptionDetails = false and browser sends non-standard\nurl escaping (CVE-2017-8808).\n\nReflected File Download from api.php (CVE-2017-8809).\n\nOn private wikis, login form shouldn't distinguish between login failure\ndue to bad username and bad password (CVE-2017-8810).\n\nIt's possible to mangle HTML via raw message parameter expansion\n(CVE-2017-8811).\n\nThe id attribute on headlines allow raw \u003e (CVE-2017-8812).\n\nLanguage converter can be tricked into replacing text inside tags by\nadding a lot of junk after the rule definition (CVE-2017-8814).\n\nLanguage converter: unsafe attribute injection via glossary rules\n(CVE-2017-8815).\n\ncomposer.json has require-dev versions of PHPUnit with known security\nissues (CVE-2017-9841).\n\nNote that MediaWiki 1.23.x on Mageia 5 is no longer supported.  Those\nusing the mediawiki package on Mageia 5 should upgrade to Mageia 6.\n","modified":"2026-04-16T06:26:00.547690493Z","published":"2017-11-29T18:52:42Z","upstream":["CVE-2017-8808","CVE-2017-8809","CVE-2017-8810","CVE-2017-8811","CVE-2017-8812","CVE-2017-8814","CVE-2017-8815","CVE-2017-9841"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0429.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22038"},{"type":"WEB","url":"https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html"}],"affected":[{"package":{"name":"mediawiki","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/mediawiki?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.27.4-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0429.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}