Vulnerable to information disclosure through various actions

debdiff for impish

Note that the version in focal is not vulnerable to CVE-2021-44857 nor CVE-2021-45038.

Note the version in bionic is not vulnerable to CVE-2021-44857 nor CVE-2021-45038.

The attachment "impish.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Removing ~ubuntu-sponsors and subscribing ~ubuntu-security-sponsors, as this should be applied to the security pocket.

Version in jammy includes the fixes:

mediawiki (1:1.35.5-1) unstable; urgency=high

  [ Kunal Mehta ]
  * New upstream version 1.35.5, fixing CVE-2021-44854, CVE-2021-44855,
    CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038.

  [ Debian Janitor ]
  * Remove constraints unnecessary since buster

 -- Kunal Mehta <email address hidden> Thu, 30 Sep 2021 20:42:36 -0700

The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release.

Hi Kunal,

Thanks for preparing these updates, I'm looking at them now. Apologies that they didn't get picked up earlier.

Hey Kunal, thanks again for preparing these debdiffs. After reviewing them, I've gone ahead and uploaded the packages to the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages to build and run through autopkgtests; any feedback or additional testing you or anyone can give would be greatly appreciated.

Thanks again.

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

Hi,

Packages have been in the security team PPA for months now. Could the bug reporter please test the proposed packages so we can release them? Thanks!

It's been another month where this has been waiting on testing from the bug reporter. I don't think there's anything to sponsor here right now and would suggest unsubscribing security sponsors.

I asked in #ubuntu-security to have someone unsubscribe ubuntu-security-sponsors from this bug, as there is nothing to sponsor.

I tried to match the sponsored patch with the upstream commits, and it's very confusing. I'm not sure I would have sponsored that as-is, at least not without further explanations.

The upstream security announcement[1] lists 5 CVEs, with 5 associated upstream bugs, but the patch in the sponsored package only mentions CVE-44854. Furthermore, the patch mentions that CVE together with upstream bug T297322[2], but the same CVE is also associated with another upstream bug T292763[3], which seems to have a different patch. I.e., are there fixes missing? What about these?

* https://phabricator.wikimedia.org/T294686
* https://phabricator.wikimedia.org/T293589
* https://phabricator.wikimedia.org/T271037

1. https://www.mediawiki.org/wiki/2021-12_security_release/FAQ
2. https://phabricator.wikimedia.org/T297322
3. https://phabricator.wikimedia.org/T292763