Bug 27331

Summary:	mediawiki new security issues fixed upstream in 1.31.10
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	herman.viaene, ouaurelien, sysadmin-bugs
Version:	7	Keywords:	advisory, has_procedure, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	mediawiki-1.31.8-1.mga7.src.rpm	CVE:
Status comment:

Description David Walser 2020-09-26 20:25:29 CEST

Upstream has announced versions 1.31.9 and 1.31.10 on September 24:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000262.html

They fix several security issues.

Debian has issued an advisory for this on September 25:
https://www.debian.org/security/2020/dsa-4767

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Multiple security issues were discovered in MediaWiki: SpecialUserRights could
leak whether a user existed or not, multiple code paths lacked HTML
sanitisation allowing for cross-site scripting and TOTP validation applied
insufficient rate limiting against brute force attempts (CVE-2020-25812,
CVE-2020-25813, CVE-2020-25814, CVE-2020-25815, CVE-2020-25827,
CVE-2020-25828).

Possible issues with actors not being loaded from the correct database or wiki
(CVE-2020-25869).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25815
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25869
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000262.html
https://www.debian.org/security/2020/dsa-4767
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.31.10-1.mga7
mediawiki-mysql-1.31.10-1.mga7
mediawiki-pgsql-1.31.10-1.mga7
mediawiki-sqlite-1.31.10-1.mga7

from mediawiki-1.31.10-1.mga7.src.rpm

Comment 1 David Walser 2020-09-26 20:25:45 CEST

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2020-09-28 16:47:30 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed wiki using mysql, worked OK.
Changed first page and added (see trick from bug 26921: create a new page by searching for itsnt yet existing name), then inserted link to it in main page.
All works OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 3 Aurelien Oudelet 2020-09-29 15:29:02 CEST

Validated update, adv and packages in Description.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 4 Aurelien Oudelet 2020-09-29 15:39:36 CEST

Validated update, adv and packages in Comment 0.

Comment 5 Mageia Robot 2020-09-30 12:03:02 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0381.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED