Bug 18513

Summary: mediawiki new security issues fixed upstream in 1.23.14
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/689273/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: mediawiki-1.23.12-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-23 04:55:53 CEST 
Upstream has announced version 1.23.14 on May 20:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html

A bugfix release, 1.23.13, has also been released since our last update:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000187.html

I haven't yet seen any CVE requests.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory to come later.  For now, see the upstream announcement.

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Updated packages in core/updates_testing:
========================
mediawiki-1.23.14-1.mga5
mediawiki-mysql-1.23.14-1.mga5
mediawiki-pgsql-1.23.14-1.mga5
mediawiki-sqlite-1.23.14-1.mga5

from mediawiki-1.23.14-1.mga5.src.rpm
David Walser 2016-05-23 04:56:36 CEST

Whiteboard: (none) => has_procedure

Comment 1 David Walser 2016-05-23 19:44:58 CEST 
Working fine on our production wiki at work, Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 2 David Walser 2016-05-23 19:46:18 CEST 
Assuming no CVEs come our way soon, here's a generic advisory we can use.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

The mediawiki package has been updated to version 1.23.14, which fixes
multiple security issues and other bugs.  See the release announcements for
more details.

References:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000187.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html
Comment 3 Lewis Smith 2016-05-23 22:10:07 CEST 
Wanting to test M5 x64
The mirror must be playing up. With Updates Testing repos enabled, MCC/Update System takes about 20m to show its list - and the MediaWiki entries are 1.23.13-1.mga5, not 1.23.14-1.mga5 as in Comment 0.
Will re-try tomorrow.

CC: (none) => lewyssmith

Comment 4 David Walser 2016-05-23 22:19:44 CEST 
There are some mirroring issues afoot.  Apparently distrib-coffee is busted (and it's a Tier 1 mirror many others sync with), so you may need to try a different mirror.
Comment 5 Lewis Smith 2016-05-24 21:32:48 CEST 
Testing M5 x64 with PostgreSQL: OK

Updated installed MediaWiki to:
 mediawiki-1.23.14-1.mga5
 mediawiki-pgsql-1.23.14-1.mga5
 mediawiki-mysql-1.23.14-1.mga5
Used it a little with Firefox, created/previewed/edited a new page. All seems OK.

Validating; advisory in Comment 2 to upload.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-05-27 13:58:50 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 6 Mageia Robot 2016-05-29 15:56:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0210.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-06-01 13:31:37 CEST

URL: (none) => http://lwn.net/Vulnerabilities/689273/