Bug 13593

Summary: mediawiki new security issue fixed upstream in 1.23.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb, warrendiogenese
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/604602/
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory
Source RPM: mediawiki-1.22.7-1.mga4.src.rpm CVE:
Status comment:
Attachments: mediawiki-math

Description David Walser 2014-06-25 13:53:42 CEST 
Upstream will release version 1.23.1 today:
http://openwall.com/lists/oss-security/2014/06/25/4

We'll upgrade to this LTS version for Mageia 3 and Mageia 4 as well.

The mediawiki-ldapauthentication and mediawiki-math packages will be updated as well (already done in Cauldron).

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-25 13:53:48 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-06-26 15:51:33 CEST 
The updated releases have been announced:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html

I'm not sure if they'll get a CVE:
http://openwall.com/lists/oss-security/2014/06/26/1

We'll see what happens with that.  For now, the updated packages are built and uploaded and can be tested.

Updated packages in core/updates_testing:
========================
mediawiki-1.23.1-1.mga3
mediawiki-mysql-1.23.1-1.mga3
mediawiki-pgsql-1.23.1-1.mga3
mediawiki-sqlite-1.23.1-1.mga3
mediawiki-ldapauthentication-2.1.0-1.mga3
mediawiki-math-1.2.0-1.mga3
mediawiki-1.23.1-1.mga4
mediawiki-mysql-1.23.1-1.mga4
mediawiki-pgsql-1.23.1-1.mga4
mediawiki-sqlite-1.23.1-1.mga4
mediawiki-ldapauthentication-2.1.0-1.mga4
mediawiki-math-1.2.0-1.mga4

from SRPMS:
mediawiki-1.23.1-1.mga3.src.rpm
mediawiki-ldapauthentication-2.1.0-1.mga3.src.rpm
mediawiki-math-1.2.0-1.mga3.src.rpm
mediawiki-1.23.1-1.mga4.src.rpm
mediawiki-ldapauthentication-2.1.0-1.mga4.src.rpm
mediawiki-math-1.2.0-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Summary: mediawiki new security issues fixed upstream in 1.23.1 => mediawiki new security issue fixed upstream in 1.23.1
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 William Murphy 2014-06-27 18:34:28 CEST 
Created attachment 5218 [details]
mediawiki-math

Tested on Mageia 3 & 4 for both i586 & x86_64 archs with instances for mysql, postgresql and sqlite.

The mediawiki-ldapauthentication extension doesn't support sqlite, so tested that without ldap authentication. Mysql and postgresql are both supported by it, so tested them using ldap.

The mediawiki-math extension work using mathjax and without it, but one of the new tools, texvccheck, was not compiled while building the package. It's a security tool that filters out any spam or other badness that may have been injected into the markup beforehand.

The extention works without it, but there are complaints in the logs. I patched (this attachment) the spec, rebuilt and upgraded the package. No more compaints in the logs.

CC: (none) => warrendiogenese

Comment 3 David Walser 2014-06-27 19:08:40 CEST 
Thanks!  I fixed mediawiki-math.

Now we have:
mediawiki-math-1.2.0-1.1.mga3
mediawiki-math-1.2.0-1.1.mga4
Comment 4 William Murphy 2014-06-27 23:31:29 CEST 
That fixed mediawiki-math. No more errors in the logs.

Testing complete.

------------------------------------------
Update validated.
Thanks.

Advisories:
No CVE's or PoC at this time. See Comment #1

SRPMS: 
mediawiki-1.23.1-1.mga3.src.rpm
mediawiki-ldapauthentication-2.1.0-1.mga3.src.rpm
mediawiki-math-1.2.0-1.mga3.src.rpm
mediawiki-1.23.1-1.mga4.src.rpm
mediawiki-ldapauthentication-2.1.0-1.mga4.src.rpm
mediawiki-math-1.2.0-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

Comment 5 David Walser 2014-06-28 00:25:57 CEST 
MITRE has contributed their two cents, so it really sounds like no CVE:
http://openwall.com/lists/oss-security/2014/06/27/18

I hadn't actually made an advisory for this one yet.

Advisory:
--------

This update provides MediaWiki 1.23.1, which provides several new features
and fixes a couple of minor bugs from 1.22.7.  The MediaWiki 1.23 branch is
a Long Term Support branch, so this update will provide a basis for more
stability for this package in the future.

The mediawiki-ldapauthentication and mediawiki-math packages have been
updated to versions that are compatible with MediaWiki 1.23.

References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000152.html
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html
Comment 6 Thomas Backlund 2014-07-04 20:58:31 CEST 
dropped security component.

advisory added

update pushed:
http://advisories.mageia.org/MGAA-2014-0142.html

Status: NEW => RESOLVED
CC: (none) => tmb
Component: Security => RPM Packages
Hardware: i586 => All
Resolution: (none) => FIXED
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory

David Walser 2014-07-08 01:35:05 CEST

URL: (none) => http://lwn.net/Vulnerabilities/604602/