Bug 20654

Summary: mediawiki new security issues fixed upstream in 1.23.16
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: mediawiki-1.23.15-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-04-11 00:32:37 CEST 
Upstream has announced version 1.23.16 on April 6:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html

Updated package uploaded for Mageia 5.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

API parameters may now be marked as "sensitive" to keep their values out of the
logs (CVE-2017-0361).

"Mark all pages visited" on the watchlist now requires a CSRF token
(CVE-2017-0362).

Special:UserLogin and Special:Search allow redirect to interwiki links
(CVE-2017-0363, CVE-2017-0364).

XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is
true (CVE-2017-0365).

SVG filter evasion using default attribute values in DTD declaration
(CVE-2017-0366).

Escape content model/format url parameter in message (CVE-2017-0368).

Sysops can undelete pages, although the page is protected against it
(CVE-2017-0369).

Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link
parameter (CVE-2017-0370).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0361
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0366
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0370
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.23.16-1.mga5
mediawiki-mysql-1.23.16-1.mga5
mediawiki-pgsql-1.23.16-1.mga5
mediawiki-sqlite-1.23.16-1.mga5

from mediawiki-1.23.16-1.mga5.src.rpm
Comment 1 David Walser 2017-04-11 00:32:56 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Whiteboard: (none) => has_procedure

Dave Hodgins 2017-04-15 00:50:49 CEST

Whiteboard: has_procedure => has_procedure advisory
CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2017-04-16 01:17:55 CEST 
Testing complete on Mageia 5 i586 using the procedure from
http://webcache.googleusercontent.com/search?q=cache:TCVt850hKyMJ:https://wiki.mageia.org/en/QA_procedure:Mediawiki%2Bmageia+QA_procedure:Mediawiki&num=100&client=opera&hs=cDE&channel=suggest&hl=en&ct=clnk

Testing x86_64 shortly.

Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK

Comment 3 Dave Hodgins 2017-04-16 01:27:39 CEST 
Validating the update.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory MGA5-32-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-04-16 08:29:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0110.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED