Bug 25273

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing our sysadmin team, in case https://wiki.mageia.org/ is affected by one or more of those security issues

CC: (none) => marja11, sysadmin-bugs
Assignee: bugsquad => pkg-bugs

Updated packages uploaded for Mageia 6, Mageia 7, and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Potential XSS in jQuery (CVE-2019-11358).

An account can be logged out without using a token (CSRF) (CVE-2019-12466).

A spammer can use Special:ChangeEmail to send out spam with no rate limiting
or ability to block them (CVE-2019-12467).

Directly POSTing to Special:ChangeEmail would allow for bypassing
reauthentication, allowing for potential account takeover (CVE-2019-12468).

Exposed suppressed username or log in Special:EditTags (CVE-2019-12469).

Exposed suppressed log in RevisionDelete page (CVE-2019-12470).

Loading user JavaScript from a non-existent account allows anyone to create
the account, and XSS the users' loading that script (CVE-2019-12471).

It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`)
by using the API (CVE-2019-12472).

Passing invalid titles to the API could cause a DoS by querying the entire
`watchlist` table (CVE-2019-12473).

Privileged API responses that include whether a recent change has been
patrolled may be cached publicly (CVE-2019-12474).

The mediawiki package has been updated to version 1.27.6 (Mageia 6) and 1.31.2
(Mageia 7), fixing these issues and other bugs.  See the release announcements
for more details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12466
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12467
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12474
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000232.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-July/000234.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.27.7-1.mga6
mediawiki-mysql-1.27.7-1.mga6
mediawiki-pgsql-1.27.7-1.mga6
mediawiki-sqlite-1.27.7-1.mga6
mediawiki-1.31.3-1.mga7
mediawiki-mysql-1.31.3-1.mga7
mediawiki-pgsql-1.31.3-1.mga7
mediawiki-sqlite-1.31.3-1.mga7

from SRPMS:
mediawiki-1.27.7-1.mga6.src.rpm
mediawiki-1.31.3-1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Version: Cauldron => 7

Installed on Mageia infra, seems to work ok

CC: (none) => tmb
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

MGA7-64 Plasma on Lenobo B50
No installation issues.
Followed instructions as per https://wiki.mageia.org/en/QA_procedure:Mediawiki , completely up to accessing a new wiki using mysql rather then postgres.
All OK.

CC: (none) => herman.viaene
Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0279.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED