Bug 30943

Summary: mediawiki new security issues fixed upstream in 1.35.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: mediawiki-1.35.7-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-10-06 14:28:27 CEST 
Upstream has announced version 1.35.8 on September 29:
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/SPYFDCGZE7KJNO73ET7QVSUXMHXVRFTE/

It fixes several security issues.

Updated packages uploaded for Mageia 8 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

HTMLUserTextField exposes existence of hidden users (CVE-2022-41765).

reassignEdits doesn't update results in an IP range check on
Special:Contributions (CVE-2022-41767).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41765
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41767
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/SPYFDCGZE7KJNO73ET7QVSUXMHXVRFTE/
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.35.8-1.mga8
mediawiki-mysql-1.35.8-1.mga8
mediawiki-pgsql-1.35.8-1.mga8
mediawiki-sqlite-1.35.8-1.mga8

from mediawiki-1.35.8-1.mga8.src.rpm
Comment 1 David Walser 2022-10-06 14:28:54 CEST 
Debian has issued an advisory for this on October 4:
https://www.debian.org/security/2022/dsa-5246
Comment 2 Herman Viaene 2022-10-13 15:49:56 CEST 
Followed the umpteenth time the wiki, but when pointing to http://localhost/mediawiki/, I get Error 404. And yes both httpd and mysqld are running because I used phpMyadmin to set up database and user.
This laptop did not have mediawiki before.
I just noticed that the /etc/mediawiki folder is empty.

CC: (none) => herman.viaene

Comment 3 Dave Hodgins 2022-10-13 18:36:48 CEST 
As root
From release and updates repos, installed mediawiki and php-mysqli selecting
apache, mysql, and required dependencies.

Edited /etc/php.d/05_date.ini and added a line with "date.timezone =America/Toronto"

"systemctl start mysqld.service"
"mysql_secure_installation", set the root password etc

"systemctl start httpd.service"

As regular user "firefox http://localhost/mediawiki"
Clicked on the "set up the wiki" link to http://localhost/mediawiki/mw-config/index.php

Selected mariadb as the db type and provided the root mysql password and chose to use the
same account for installation.

Was reminded of the annoying requirement to use at least 10 characters for the wiki password, so have a different password for logging in to mediawiki.

Downloaded the LocalSettings.php and copied it to /etc/mediawiki
"systemctl restart httpd.service" to pick up the new LocalSettings.php file.

Went to http://localhost/mediawiki/index.php/QaTestB4Update
Logged in, entered some text and a summary, created the page.

Installed the update using qarepo
"systemctl restart httpd.service"

Restarted firefox going back to http://localhost/mediawiki/index.php/QaTestB4Update
Went to http://localhost/mediawiki/index.php/QaTestAfterUpdate and created a new page.

Validating the update.

Herman, please try the above and update any missing or wrong parts in the wiki.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-10-13 21:04:38 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-10-13 22:06:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0370.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED