[SECURITY] [DLA 4428-1] mediawiki security update

Tue, 30 Dec 2025 07:55:50 -0800 

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4428-1                [email protected]
https://www.debian.org/lts/security/                       Guilhem Moulin
December 30, 2025                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : mediawiki
Version        : 1:1.35.13-1+deb11u6
CVE ID         : CVE-2025-67475 CVE-2025-67478 CVE-2025-67479 CVE-2025-67480 
                 CVE-2025-67481 CVE-2025-67482 CVE-2025-67484

Multiple security vulnerabilities were found in mediawiki, a website
engine for collaborative work, which could lead to information
disclosure, denial of service or privilege escalation.

CVE-2025-67475

    Square brackets in autocomment links were not always escaped.

CVE-2025-67478

    Commas not separating values in RFC 2822 style headers were not
    escaped, hence could be interpreted downstream as value separators.

CVE-2025-67479

    Underscore and wide underscore were not always sanitized in `data-*`
    attribute names.

CVE-2025-67480

    ApiQueryRevisionsBase did not check for read permissions for the
    target page.

CVE-2025-67481

    Insufficient `style` attribute sanitation in client-side messages
    (jqueryMsg).

    As such attributes are difficult to sanitize properly (the logic
    needs to be updated constantly as new CSS features are developed by
    browser vendors) and their use cases in client-side messages are
    extremely rare, they are no longer allowed.

    If needed, `class` and `id` are still allowed, so these elements can
    be targeted by normal stylesheets.

CVE-2025-67482

    Scribunto extension: Segfault in unpack() with large integers
    affecting some builds of Lua.

CVE-2025-67484

    Cross-site scripting (XSS) vulnerability via xslt option for users
    with the "editinterface" permission.  The xslt option is now
    disabled by default.  If the former unsafe behavior is desired, is
    can be re-enabled by setting `$wgEnableUnsafeXsltOption` to true.

For Debian 11 bullseye, these problems have been fixed in version
1:1.35.13-1+deb11u6.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply via email to