Bug 14711

Summary: mediawiki new security issues fixed upstream in 1.23.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/624612/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: mediawiki-1.23.6-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-02 17:46:08 CET 
Upstream has announced version 1.23.7 on November 27:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html

I haven't seen any CVE requests.

Freeze push requested for Cauldron.

The update is committed in SVN for Mageia 4.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-02 17:46:16 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-12-02 19:29:18 CET 
Updated packages uploaded for Mageia 4 and Cauldron.

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

The advisory may be updated again later if CVEs show up.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

This update provides MediaWiki 1.23.7, which fixes several potential security
issues and other bugs.  See the upstream announcement for details.

References:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.23.7-1.mga3
mediawiki-mysql-1.23.7-1.mga3
mediawiki-pgsql-1.23.7-1.mga3
mediawiki-sqlite-1.23.7-1.mga3
mediawiki-1.23.7-1.mga4
mediawiki-mysql-1.23.7-1.mga4
mediawiki-pgsql-1.23.7-1.mga4
mediawiki-sqlite-1.23.7-1.mga4

from SRPMS:
mediawiki-1.23.7-1.mga3.src.rpm
mediawiki-1.23.7-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => has_procedure

Comment 2 David Walser 2014-12-02 19:32:25 CET 
Working fine on our production wiki at work, Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 David Walser 2014-12-02 20:06:43 CET 
Oops, just updating Mageia 4 this time.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

This update provides MediaWiki 1.23.7, which fixes several potential security
issues and other bugs.  See the upstream announcement for details.

References:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.23.7-1.mga4
mediawiki-mysql-1.23.7-1.mga4
mediawiki-pgsql-1.23.7-1.mga4
mediawiki-sqlite-1.23.7-1.mga4

from mediawiki-1.23.7-1.mga4.src.rpm
Comment 4 olivier charles 2014-12-02 21:19:22 CET 
Testing on Mageia4x64 real hardware

Following procedure mentioned in Comment 1

From current packages :
mediawiki-1.23.6-1.mga4
mediawiki-mysql-1.23.6-1.mga4

To updated testing packages :
mediawiki-1.23.7-1.mga4
mediawiki-mysql-1.23.7-1.mga4

Installation OK, updating OK, connecting to previous installation OK, new installation OK, basic mediawiki usage OK

CC: (none) => olchal
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 5 claire robinson 2014-12-02 21:26:20 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-12-03 20:28:14 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0506.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2014-12-03 22:18:50 CET 
CVE request:
http://openwall.com/lists/oss-security/2014/12/03/9
Comment 8 David Walser 2014-12-04 20:28:19 CET 
CVEs have been assigned:
http://openwall.com/lists/oss-security/2014/12/04/16

Could someone please update the advisory in SVN?

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

In MediaWiki before 1.23.7, a missing CSRF check could allow reflected XSS
on wikis that allow raw HTML (CVE-2014-9276).

MediaWiki's <cross-domain-policy> mangling, in MediaWiki before 1.23.7,
could allow an article editor to inject code into API consumers that blindly
unserialize PHP representations of the page from the API (CVE-2014-9277).

This update provides MediaWiki 1.23.7, which fixes these security issues and
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9277
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html
http://openwall.com/lists/oss-security/2014/12/04/16
David Walser 2014-12-04 20:31:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/624612/

Comment 9 RĂ©mi Verschelde 2014-12-04 20:57:19 CET 
Advisory updated.

CC: (none) => remi

Comment 10 David Walser 2014-12-12 19:24:43 CET 
LWN reference for the other security issues fixed in 1.23.7:
http://lwn.net/Vulnerabilities/626061/