Debian alert DLA-4355-1 (mediawiki)
| From: | Guilhem Moulin <guilhem@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4355-1] mediawiki security update | |
| Date: | Fri, 31 Oct 2025 09:02:33 +0100 | |
| Message-ID: | <aQRtGZltkzlNyMs_@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4355-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin October 31, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : mediawiki Version : 1:1.35.13-1+deb11u5 CVE ID : CVE-2025-11173 CVE-2025-11261 CVE-2025-61635 CVE-2025-61638 CVE-2025-61639 CVE-2025-61640 CVE-2025-61641 CVE-2025-61643 CVE-2025-61646 CVE-2025-61653 CVE-2025-61655 CVE-2025-61656 Multiple security vulnerabilities were found in mediawiki, a website engine for collaborative work, that could lead to information disclosure, denial of service or privilege escalation. CVE-2025-11173 OATHAuth extension: Reauthentication for enabling 2FA can be bypassed by submitting a form in Special:OATHManage. CVE-2025-11261 Stored i18n Cross-site scripting (XSS) vulnerability in mw.language.listToText. CVE-2025-61635 ConfirmEdit extension: Missing rate limiting in ApiFancyCaptchaReload. CVE-2025-61638 Parsoid: Validation bypass for `data-` attributes. CVE-2025-61639 Log entries which are hidden from the creation of the entry may be disclosed to the public recent change entry. CVE-2025-61640 Stored i18n Cross-site scripting (XSS) vulnerability in Special:RecentChangesLinked. CVE-2025-61641 DDoS vulnerability in QueryAllPages API in miser mode. The `maxsize` value is now ignored in that mode. CVE-2025-61643 Suppressed recent changes may be disclosed to the public RCFeeds. CVE-2025-61646 Public Watchlist/RecentChanges pages may disclose hidden usernames when an individual editor makes consecutive revisions on a single page, and only some are marked as hidden username. CVE-2025-61653 TextExtracts extension: Information disclosure vulnerability in the extracts API action endpoint due to missing read permission check. CVE-2025-61655 VisualEditor extension: Stored i18n Cross-site scripting (XSS) vulnerability in `lastModifiedAt` system messages. CVE-2025-61656 VisualEditor extension: Missing attribute validation for attributes unwrapped from `data-ve-attributes`. For Debian 11 bullseye, these problems have been fixed in version 1:1.35.13-1+deb11u5. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmkEbRQACgkQ05pJnDwh pVI8Xw//YuwaxZrksws8Aj62X4G66UDe0Mz2yJiygtgizfbXsOqn9Viidm2Dt3KY AYLu8kSa2X+r00IYGcCVi2N4/Z7fN/M1qwsfMN4wRsIZ+t/HgL11lD+88QkH8TE8 PpzpYSQRxn/LZReRyWQb89xQr7EMOZzyMYABp9OhfqAccfaIMqXrCuyYb9PR6toA qs+30X7A7Q04bBAuksk8XEImXcbz4poXrGTqitUNipVc48KFN3WvwOOAuzUSuWRJ f+Svfl3NEmYMqz/InROGFkSF02Rhd4HuQ4gjh3ADrlDlHLhgLrtEtD7i1F+d/ojM QPCxpWioWFCy/jnm4r9/nLaRugIucItsjbM8quSDjAHUTs+HXAEY/PyEiiqsSJ3W jyS7RuXRySZWVxAgijyYNvzPMjkkNtVlFC7Zk940VY6lBFr9swdWeu93ZjJPZ6Es qHJM/ysRJuyxMJjivnP620RDkSPq4Z2HfGrhOLf//1NB2tpUoEye+JXB8jOK9O2V K4u8H9Tqv3/NB+KuVsE7mXyLFAedE6fkV3y996P4xXVbxKyw2dIGDqe2OPnr3bsp uvGftimX89XkAohdC6bq+2JfkO2S5YjPghYzObUqOfdDUK4uTmEJqZHcK3ypsdCu hMHTz6/pR+YqhCRMn4W+TG1DoDabNB9y3pzw9nW3k7cKt/BHg0k= =nyGQ -----END PGP SIGNATURE-----