Bug 24303

Summary: dokuwiki new version 20180422b fixes security issue with ACLs
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Stig-Ørjan Smelror <smelror>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, herman.viaene, joequant, marja11, mhrambo3501, ngompa13, qa-bugs, smelror
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: dokuwiki-20180422a-2.mga7.src.rpm CVE:
Status comment: Fixed upstream in 20180422b

Description David Walser 2019-02-03 00:16:47 CET 
See:
https://www.dokuwiki.org/changes
https://github.com/splitbrain/dokuwiki/pull/2609

Mageia 6 is also affected.
David Walser 2019-02-03 00:16:53 CET

Whiteboard: (none) => MGA6TOO

David Walser 2019-02-03 02:48:50 CET

Status comment: (none) => Fixed upstream in 20180422b

Comment 1 Marja Van Waes 2019-02-03 08:43:32 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing two committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant, marja11, ngompa13

Comment 2 Stig-Ørjan Smelror 2019-02-17 23:38:01 CET 
Version 20180422b pushed to Cauldron.

Version: Cauldron => 6
CC: (none) => smelror
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => smelror

Comment 3 Stig-Ørjan Smelror 2019-02-18 10:22:40 CET 
Advisory
========

Dokuwiki has been updated to fix a security issue regarding ACL that causes serious security issues in plugins that rely on this ACL check in search_allpages like the include plugin.

References
==========
https://www.dokuwiki.org/changes
https://github.com/splitbrain/dokuwiki/pull/2609

Files
=====

Uploaded to core/updates_testing:

dokuwiki-20180422b-1.1.mga6

from dokuwiki-20180422b-1.1.mga6.src.rpm

Assignee: smelror => qa-bugs

Comment 4 Herman Viaene 2019-02-19 14:21:12 CET 
MGA6-32 MATE on IBM Thinkpad R50e
Installation: I had to downgrade apache first because of the issues with the current update.
Then when I try to install dokuwiki I get:
"Sorry, the following package can not be  selected:
dokuwiki-20180422b-1.1.mga6.noarch (because of unfulfilled pear(other/ide_stubs/libsodium.php))"

CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-02-28 22:37:50 CET 
MGA6-64 Plasma on Athlon X2 7750, Nvidia340 graphics.

Installed dokuwiki-20170219-4.1, which pulled in several Apache and php 7 packages, all of which installed cleanly.

But, when I used qarepo to get the dokuwiki update and tried to install, I got the same error message that Herman got on his 32-bit system.

CC: (none) => andrewsfarm

Comment 6 Stig-Ørjan Smelror 2019-02-28 22:41:08 CET 
Thanks TJ.

I had forgotten about this error. Have asked for assistance and will push an update once it's been fixed.

Cheers,
Stig
Comment 7 Brian Rockwell 2019-08-17 21:41:39 CEST 
A news on this 6 month old fix?

CC: (none) => brtians1

Comment 8 David Walser 2019-08-17 21:44:14 CEST 
We should have at least had a feedback tag on this.  Whoops.

Assignee: qa-bugs => smelror
CC: (none) => qa-bugs

Comment 9 Mike Rambo 2019-11-06 21:21:23 CET 
Mageia 6 is EOL.

CC: (none) => mrambo
Status: NEW => RESOLVED
Resolution: (none) => OLD