Bug 26443

Summary: mediawiki new security issue fixed upstream in 1.31.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: mediawiki-1.31.6-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-04-06 22:24:41 CEST 
Upstream has announced version 1.31.7 on March 26:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000247.html

It fixes one security issue.

Debian has issued an advisory for this on April 2:
https://www.debian.org/security/2020/dsa-4651

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

In MediaWiki before 1.31.7, users can add various Cascading Style Sheets (CSS)
classes (which can affect what content is shown or hidden in the user
interface) to arbitrary DOM nodes via HTML content within a MediaWiki page.
This occurs because jquery.makeCollapsible allows applying an event handler to
any Cascading Style Sheets (CSS) selector. There is no known way to exploit
this for cross-site scripting (XSS) (CVE-2020-10960).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10960
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000247.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.31.7-1.mga7
mediawiki-mysql-1.31.7-1.mga7
mediawiki-pgsql-1.31.7-1.mga7
mediawiki-sqlite-1.31.7-1.mga7

from mediawiki-1.31.7-1.mga7.src.rpm
Comment 1 David Walser 2020-04-06 22:26:01 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Also, I changed the ownership of /usr/share/mediawiki/mw-config from what looked to be incorrectly set to apache:apache all these years to be root:root with everything else in /usr/share.  Please make sure this doesn't cause any issues, especially with setting up a new installation (though I don't expect it to).

Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2020-04-08 14:06:28 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed QA procedure:
# systemctl start httpd
# systemctl status -l httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-04-08 13:38:58 CEST; 3s ago
 Main PID: 4690 (httpd)
   Status: "Processing requests..."
   Memory: 34.3M
   CGroup: /system.slice/httpd.service
           ├─4690 /usr/sbin/httpd -DFOREGROUND
           ├─4692 /usr/sbin/httpd -DFOREGROUND
           ├─4693 /usr/sbin/httpd -DFOREGROUND
           ├─4696 /usr/sbin/httpd -DFOREGROUND
           ├─4703 /usr/sbin/httpd -DFOREGROUND
           ├─4708 /usr/sbin/httpd -DFOREGROUND
           └─4713 /usr/sbin/httpd -DFOREGROUND

Apr 08 13:38:57 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Apr 08 13:38:58 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
# systemctl start mysqld
# systemctl status -l mysqld
● mysqld.service - MySQL database server
   Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-04-08 13:39:11 CEST; 10s ago
  Process: 4749 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
 Main PID: 4763 (mysqld)
   Status: "Taking your SQL requests now..."
   Memory: 66.8M
   CGroup: /system.slice/mysqld.service
           └─4763 /usr/sbin/mysqld

Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] InnoDB: 10.3.22 started; log sequence numbe>
Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] InnoDB: Loading buffer pool(s) from /var/li>
Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 200408 13:39:11 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED.
Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 200408 13:39:11 server_audit: Query cache is enabled with the TABLE even>
Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] Reading of all Master_info entries succeeded
Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] Added new Master_info '' to hash table
Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] /usr/sbin/mysqld: ready for connections.
Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: Version: '10.3.22-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 0>
Apr 08 13:39:11 mach5.hviaene.thuis systemd[1]: Started MySQL database server.

Setup of mediawiki seems OK,  checked presence of database with phpmyadmin, looks OK, found records of the pages in the pages table.
No problem seen, David.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2020-04-09 00:06:36 CEST 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-04-15 11:01:36 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Mageia Robot 2020-04-15 12:13:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0167.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED