| Summary: | mediawiki new security issues fixed upstream in 1.35.10 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | mediawiki-1.35.8-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2023-01-27 16:40:03 CET
Updated packages uploaded for Mageia 8 and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: An issue was discovered in MediaWiki before 1.35.9. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data (CVE-2022-47927). An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow (CVE-2023-22909). An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context (CVE-2023-22911). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47927 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22911 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/ ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.35.9-1.mga8 mediawiki-mysql-1.35.9-1.mga8 mediawiki-pgsql-1.35.9-1.mga8 mediawiki-sqlite-1.35.9-1.mga8 from mediawiki-1.35.9-1.mga8.src.rpm Assignee:
bugsquad =>
qa-bugs The package installation worked correctly. Other than the issue I reported before at bug 27781, it worked correctly. System: Mageia 8, x86_64. # uname -a Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux # rpm -q mediawiki mediawiki-1.35.9-1.mga8 CC:
(none) =>
mageia Forgot to mention that its using a sqlite database. # rpm -qa | grep mediawiki mediawiki-1.35.9-1.mga8 mediawiki-sqlite-1.35.9-1.mga8 MGA8-64 MATE on Acer Aspire 5253 No installation issues, deleting /var/www/mediawiki from previous updates before installation Started mysqld and httpd, went to the mediawiki installation page and bumped onto error in the Welocome page - Environmental checks: PHP 8.0.27 is installed. [Y9eVH1MeEC25TDsXhq1xewAAAAY] /mediawiki/mw-config/index.php?page=Welcome Error from line 151 of /usr/share/mediawiki/includes/shell/FirejailCommand.php: Undefined constant "MediaWiki\Shell\MW_CONFIG_FILE" CC:
(none) =>
herman.viaene I have again installed this package without issues. Just following the instructions on the following link did the trick. https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Installing_MediaWiki I'm not certain about the issue Herman encountered. I'm using PHP 8.1.16 (the one from the backport repositories) so maybe that makes a difference. It would help to get a better idea if the PHP display_errors in /etc/php.ini was set to "On" to get more detailed error information. # php --version PHP 8.1.16 (cli) (built: Feb 15 2023 13:32:53) (ZTS) Copyright (c) The PHP Group Zend Engine v4.1.16, Copyright (c) Zend Technologies with Zend OPcache v8.1.16, Copyright (c), by Zend Technologies with Xdebug v3.1.1, Copyright (c) 2002-2021, by Derick Rethans Upstream has announced version 1.35.10 on March 30: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/ Fedora has issued an advisory for this today (April 10): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/ Updated packages uploaded for Mageia 8 and Cauldron (pending freeze move). Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649). An issue was discovered in MediaWiki before 1.35.9. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data (CVE-2022-47927). An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow (CVE-2023-22909). An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context (CVE-2023-22911). An issue was discovered in MediaWiki before 1.35.10. An auto-block can occur for an untrusted X-Forwarded-For header (CVE-2023-29141). OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure Default Configuration (T330086). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36649 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47927 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22911 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29141 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/ ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.35.10-1.mga8 mediawiki-mysql-1.35.10-1.mga8 mediawiki-pgsql-1.35.10-1.mga8 mediawiki-sqlite-1.35.10-1.mga8 from mediawiki-1.35.10-1.mga8.src.rpm Summary:
mediawiki new security issues fixed upstream in 1.35.9 =>
mediawiki new security issues fixed upstream in 1.35.10 Freeze move has been completed. Deleted existing database in mysql, deleted the /var/www/mediawiki and /etc/mediawiki, created new database wit phpmyadmin and launched the setup and got stuck at the same error as above: PHP 8.0.28 is installed. [ZEjvDlbwJ0rGu7zoQ81AFgAAAAQ] /mediawiki/mw-config/index.php?page=Welcome Error from line 151 of /usr/share/mediawiki/includes/shell/FirejailCommand.php: Undefined constant "MediaWiki\Shell\MW_CONFIG_FILE" There haven't been any changes to FirejailCommand.php or any changes referencing MW_CONFIG_FILE in the last two updates. MGA8-64 MATE on Acer Aspire 5253 No installation issues. Did the installation on a clean M8 setup (see bug 31997) and run thru the setup as described in the wiki using mysql as database. Setup works OK and created a first page. Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in comment 6. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-06-27 22:33:24 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0204.html Resolution:
(none) =>
FIXED |