[GHSA-5vj8-g3qg-4qh6] An issue was discovered in MediaWiki before 1.35.10, 1.36... #4969
Conversation
github-actions
bot
changed the base branch from
main
to
Rudloff/advisory-improvement-4969
|
Hi @Rudloff, thank you for the package find, but this edit seems incomplete based on the description. |
|
Are you talking about the versions? Also, is there a way to edit my PR with the GUI tool? |
|
Yep the version ranges are missing and yes you can edit the PR without a GUI either via the github UI or by making a commit on the branch directly via a cli :) As for how, each product can only have one version range, so you'll need to duplicate the package info for each affected range. You can see an example here |
|
It looks like I don't have permission to push to the |
|
Gotcha. Could you post it in this thread with any supporting commits/release notes/etc? |
|
The ranges would be like this I think: "affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mediawiki/core"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.35.10"
}
]
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mediawiki/core"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.36.0"
},
{
"fixed": "1.38.6"
}
]
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mediawiki/core"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.39.0"
},
{
"fixed": "1.39.3"
}
]
}
]
}
],And the release notes mentioning the CVE: |
|
Looks good to me. Those release notes are fantastic! Let me get this going 👍 |
advisory-database
bot
merged commit 2e9fdf0
into
Rudloff/advisory-improvement-4969
|
Hi @Rudloff! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Add Composer package