CVE-2017-0361 log

Source
Severity High
Remote No
Type Information disclosure
Description
MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters may now be marked as "sensitive" to keep their values out of the logs.
Group Package Affected Fixed Severity Status Ticket
AVG-490 mediawiki 1.29.1-1 1.29.2-1 High Fixed
AVG-236 mediawiki 1.28.0-1 1.28.1-1 High Fixed
Date Advisory Group Package Severity Type
15 Nov 2017 ASA-201711-20 AVG-490 mediawiki High multiple issues
07 Apr 2017 ASA-201704-3 AVG-236 mediawiki High multiple issues
References
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
https://phabricator.wikimedia.org/T125177
https://phabricator.wikimedia.org/T180488
https://github.com/wikimedia/mediawiki/commit/8b0220e81ba462d21d8e1facbe6aed047f7418a2
https://github.com/wikimedia/mediawiki/commit/59ce3456a8007d76875fe8fb21eff4a90b214034
Notes
CVE-2017-0361 wasn't correctly fixed in all branches and previous security releases before 1.29.2.