Fedora 29 : mediawiki (2018-f4b65fc7cd)

medium Nessus Plugin ID 120910



The remote Fedora host is missing a security update.



- (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides 'newbie'.

- (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock.

- (T180551) Fix LanguageSrTest for language converter

- (T180552) Fix langauge converter parser test with self-close tags

- (T180537) Remove $wgAuth usage from wrapOldPasswords.php

- (T180485) InputBox: Have inputbox langconvert certain attributes

- (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.

- (T172927) Drop vendor from MW release branch

- (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array

- Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).

- (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass
--with-extensions to enable that feature.

- (T182381) Mask deprecated call in WatchedItemUnitTest

- (T190503) Let built-in web server (maintenance/dev) handle .php requests.

- The karma qunit tests would fail on some configuration due to headers already sent. Check headers_sent() before sending cpPosTime headers

- (T167507) selenium: Run Chrome headlessly.

- selenium: Pass -no-sandbox to Chrome under Docker

- (T191247) Use MediaWiki\SuppressWarnings around trigger_error() instead @

- (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel fails under SQLite.

- (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().

- (T179190) selenium: Move test running logic from package.json to selenium.sh.

- (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.

- Add default edit rate limit of 90 edits/minute for all users.

- (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.

- (T196672) The mtime of extension.json files is now able to be zero

- (T180403) Validate $length in padleft/padright parser functions.

- (T143790) Make $wgEmailConfirmToEdit only affect edit actions.

- (T194237) Special:BotPasswords now requires reauthentication.

- (T191608, T187638) Add 'logid' parameter to Special:Log.

- (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case

- (T193829) Indicate when a Bot Password needs reset.

- (T151415) Log email changes.

- (T118420) Unbreak Oracle installer.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Update the affected mediawiki package.

See Also


Plugin Details

Severity: Medium

ID: 120910

File Name: fedora_2018-f4b65fc7cd.nasl

Version: 1.6

Type: local

Agent: unix

Published: 1/3/2019

Updated: 1/6/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent

Risk Information


Risk Factor: Low

Score: 3.6


Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2018-0505


Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:mediawiki, cpe:/o:fedoraproject:fedora:29

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/7/2018

Vulnerability Publication Date: 10/4/2018

Reference Information

CVE: CVE-2018-0503, CVE-2018-0504, CVE-2018-0505