Bug 23662

Summary: mediawiki new security issues fixed upstream in 1.27.5
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, herman.viaene, marja11, rverschelde, shlomif, smelror, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: mediawiki-1.27.4-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-10-10 00:02:14 CEST 
Upstream has announced version 1.27.5 on September 20:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2018-September/000223.html

Cauldron should also be updated to the new 1.31.x LTS branch.

Debian has issued an advisory for this on September 22:
https://www.debian.org/security/2018/dsa-4301
David Walser 2018-10-10 00:02:22 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-10 06:21:19 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers and our sysadmins, because we use MediaWiki for our wiki.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, rverschelde, shlomif, smelror, sysadmin-bugs, tmb

Comment 2 Bruno Cornec 2018-10-25 18:26:02 CEST 
1.27.5 uploaded to mga6

Assignee: pkg-bugs => bruno
Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 3 Bruno Cornec 2018-10-25 19:02:42 CEST 
mediawiki-1.31.1-1.mga7 uploaded to cauldron

Whiteboard: MGA6TOO => (none)
Assignee: bruno => qa-bugs
Version: Cauldron => 6

Comment 4 David Walser 2018-10-26 01:14:57 CEST 
Thanks Bruno.  Note for future reference that when mediawiki is updated to a new branch, mediawiki-math and mediawiki-ldapauthentication need to be updated too.  I took care of it.
Comment 5 David Walser 2018-10-26 01:18:01 CEST 
Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

$wgRateLimits entry for 'user' overrides 'newbie' (CVE-2018-0503).

When a log event is (partially) hidden Special:Redirect/logid can link to the
incorrect log and reveal hidden information (CVE-2018-0504).

BotPasswords can bypass CentralAuth's account lock (CVE-2018-0505).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0504
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0505
https://lists.wikimedia.org/pipermail/mediawiki-announce/2018-September/000223.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.27.5-1.mga6
mediawiki-mysql-1.27.5-1.mga6
mediawiki-pgsql-1.27.5-1.mga6
mediawiki-sqlite-1.27.5-1.mga6

from mediawiki-1.27.5-1.mga6.src.rpm
Comment 6 Herman Viaene 2018-10-29 15:06:02 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Following QA procedure from Wiki:
# systemctl start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: enabled)
   Active: active (running) since ma 2018-10-29 13:46:42 CET; 11s ago
# systemctl start mysqld
# systemctl -l status mysqld
● mysqld.service - MySQL database server
   Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: enabled)
   Active: active (running) since ma 2018-10-29 13:47:45 CET; 6s ago
Setup of mediawiki seems OK,  checked presence of database with phpmyadmin, looks OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 7 Thomas Andrews 2018-11-02 19:58:35 CET 
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm
Keywords: (none) => validated_update

Thomas Backlund 2018-11-03 12:08:34 CET

Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-11-03 12:56:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0433.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED