Bug 30873

Summary: dokuwiki new security issue CVE-2022-3123
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: dokuwiki-20201204-0.20201204.1.dev.gitf2a13d8.mga9.src.rpm CVE: CVE-2022-3123
Status comment:

Description David Walser 2022-09-20 14:23:01 CEST 
Fedora has issued an advisory today (September 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LLNV7GYZPGLIKBLISVQUREQXE3WHI5R2/

The issue is fixed upstream in 2022-07-31a:
https://www.dokuwiki.org/changes#release_2022-07-31a_igor

Mageia 8 is also affected.
David Walser 2022-09-20 14:24:11 CEST

Status comment: (none) => Fixed upstream in 2022-07-31a
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2022-09-20 17:36:02 CEST 
Assigning to our registered dokuwiki maintainer.

Assignee: bugsquad => joequant
CC: (none) => marja11

Comment 2 Nicolas Salguero 2022-10-11 14:45:54 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. (CVE-2022-3123)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3123
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LLNV7GYZPGLIKBLISVQUREQXE3WHI5R2/
https://www.dokuwiki.org/changes#release_2022-07-31a_igor
========================

Updated package in core/updates_testing:
========================
dokuwiki-20220731-1.mga8

from SRPM:
dokuwiki-20220731-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 2022-07-31a => (none)
Assignee: joequant => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-3123

Comment 3 Herman Viaene 2022-10-15 11:44:04 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Made sure httpd is running.
Followed editing /etc/httpd/conf/httpd.conf as described in bug 20431 Comment 2, restarted httpd and pointed to  http://localhost/dokuwiki
and this brings up a startpage Dokuwiki mentioning
"This topic does not exist yet

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”."
Did that, just entered some nonsense text into it, closed the page and reopened the page, the text was there OK

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-10-15 16:02:42 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-18 23:27:14 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-10-19 01:16:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0372.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED