Bug 22038

Summary: mediawiki new security issues fixed upstream in 1.27.4
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
Whiteboard: MGA6-64-OK
Source RPM: CVE: CVE-2017-8808, CVE-2017-8809, CVE-2017-8810, CVE-2017-8811, CVE-2017-8812, CVE-2017-8814, CVE-2017-8815
Status comment:
Attachments: mgarepo update MediaWiki to 1.27.4

Description Stig-Ørjan Smelror 2017-11-16 07:48:23 CET 
MediaWiki has released security updates that fixes nine security issues in core and one related issue in the vendor folder.
Stig-Ørjan Smelror 2017-11-16 07:48:45 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Stig-Ørjan Smelror 2017-11-16 08:33:18 CET 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html

* (T128209) Reflected File Download from api.php. Reported by Abdullah Hussam. (CVE-2017-8809)
* (T165846) BotPasswords doesn't throttle login attempts.
* (T134100) On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password. (CVE-2017-8810)
* (T178451) XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping. (CVE-2017-8808)
* (T176247) It's possible to mangle HTML via raw message parameter expansion.(CVE-2017-8811)
* (T125163) id attribute on headlines allow raw >. (CVE-2017-8812)
* (T124404) language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition. (CVE-2017-8814)
* (T119158) Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815)

CVE: (none) => CVE-2017-8808, CVE-2017-8809, CVE-2017-8810, CVE-2017-8811, CVE-2017-8812, CVE-2017-8814, CVE-2017-8815

Stig-Ørjan Smelror 2017-11-16 08:46:12 CET

Assignee: bugsquad => luigiwalser

Comment 2 Stig-Ørjan Smelror 2017-11-16 08:52:59 CET 
Created attachment 9794 [details]
mgarepo update MediaWiki to 1.27.4
David Walser 2017-11-16 14:16:54 CET

Version: Cauldron => 6
CC: (none) => shlomif
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2017-11-16 21:20:10 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

XSS when $wgShowExceptionDetails = false and browser sends non-standard url
escaping (CVE-2017-8808).

Reflected File Download from api.php (CVE-2017-8809).

On private wikis, login form shouldn't distinguish between login failure due
to bad username and bad password (CVE-2017-8810).

It's possible to mangle HTML via raw message parameter expansion
(CVE-2017-8811).

The id attribute on headlines allow raw > (CVE-2017-8812).

Language converter can be tricked into replacing text inside tags by adding a
lot of junk after the rule definition (CVE-2017-8814).

Language converter: unsafe attribute injection via glossary rules
(CVE-2017-8815).

composer.json has require-dev versions of PHPUnit with known security issues
(CVE-2017-9841).

Note that MediaWiki 1.23.x on Mageia 5 is no longer supported.  Those using
the mediawiki package on Mageia 5 should upgrade to Mageia 6.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8809
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8811
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.27.4-1.mga6
mediawiki-mysql-1.27.4-1.mga6
mediawiki-pgsql-1.27.4-1.mga6
mediawiki-sqlite-1.27.4-1.mga6

from mediawiki-1.27.4-1.mga6.src.rpm

Summary: MediaWiki Security release: 1.29.2 / 1.28.3 / 1.27.4 => mediawiki new security issues fixed upstream in 1.27.4
Assignee: luigiwalser => qa-bugs
Keywords: (none) => has_procedure

Comment 4 Lewis Smith 2017-11-27 18:03:48 CET 
Testing M6/64

BEFORE update: mediawiki-1.27.3-2.mga6, mediawiki-pgsql-1.27.3-2.mga6
Following https://wiki.mageia.org/en/QA_procedure:Mediawiki I installed the packages and followed the setup as far as "Modify the starting page" which entailed logging in & editing.

AFTER update: mediawiki-1.27.4-1.mga6, mediawiki-pgsql-1.27.4-1.mga6
Added a new page, edited it, logged in & out, searched. Short of adding an image (I was unsure about the Help info, which I searched) this seems to work OK. A surfeit of updates precludes perusing the individual CVEs for potential PoCs.

OKing, validating.

CC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK

Comment 5 Mageia Robot 2017-11-29 19:53:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0429.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED