Bug 25986

Summary: mediawiki new security issue fixed upstream in 1.31.6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: mediawiki-1.31.5-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-12-29 05:13:37 CET 
Upstream has announced version 1.31.4 on October 7:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-October/000236.html

It fixes one security issue.

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist
protection mechanism by starting with an arbitrary title, establishing a
non-resolvable redirect for the associated page, and using redirect=1 in the
action API when editing that page (CVE-2019-19709).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19709
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-December/000243.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.31.6-1.mga7
mediawiki-mysql-1.31.6-1.mga7
mediawiki-pgsql-1.31.6-1.mga7
mediawiki-sqlite-1.31.6-1.mga7

from mediawiki-1.31.6-1.mga7.src.rpm
Comment 1 David Walser 2019-12-29 05:13:49 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2020-01-03 16:00:14 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed wiki up o creating a new wiki and a new page in it (trick: there is no "New" button, just type a name in the search box, it will not find it, but then you can create it).
Works OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2020-01-03 19:34:18 CET 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-05 13:48:45 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2020-01-05 16:40:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0021.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED