Fedora 27 : mediawiki (2018-edf90410ea)

medium Nessus Plugin ID 117965

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

https://www.mediawiki.org/wiki/Release_notes/1.29#MediaWiki_1.29.3

- (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides 'newbie'.

- (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock.

- (T180551) Fix LanguageSrTest for language converter

- (T180552) Fix langauge converter parser test with self-close tags

- (T180537) Remove $wgAuth usage from wrapOldPasswords.php

- (T180485) InputBox: Have inputbox langconvert certain attributes

- (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.

- (T172927) Drop vendor from MW release branch

- (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array

- Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).

- (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass
--with-extensions to enable that feature.

- (T182381) Mask deprecated call in WatchedItemUnitTest

- (T190503) Let built-in web server (maintenance/dev) handle .php requests.

- The karma qunit tests would fail on some configuration due to headers already sent. Check headers_sent() before sending cpPosTime headers

- (T167507) selenium: Run Chrome headlessly.

- selenium: Pass -no-sandbox to Chrome under Docker

- (T191247) Use MediaWiki\SuppressWarnings around trigger_error() instead @

- (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel fails under SQLite.

- (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().

- (T179190) selenium: Move test running logic from package.json to selenium.sh.

- (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.

- Add default edit rate limit of 90 edits/minute for all users.

- (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.

- (T196672) The mtime of extension.json files is now able to be zero

- (T180403) Validate $length in padleft/padright parser functions.

- (T143790) Make $wgEmailConfirmToEdit only affect edit actions.

- (T194237) Special:BotPasswords now requires reauthentication.

- (T191608, T187638) Add 'logid' parameter to Special:Log.

- (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case

- (T193829) Indicate when a Bot Password needs reset.

- (T151415) Log email changes.

- (T118420) Unbreak Oracle installer.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected mediawiki package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2018-edf90410ea

Plugin Details

Severity: Medium

ID: 117965

File Name: fedora_2018-edf90410ea.nasl

Version: 1.7

Type: local

Agent: unix

Published: 10/9/2018

Updated: 7/31/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2018-0505

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:mediawiki, cpe:/o:fedoraproject:fedora:27

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/7/2018

Vulnerability Publication Date: 10/4/2018

Reference Information

CVE: CVE-2018-0503, CVE-2018-0504, CVE-2018-0505