Bug 32083

Summary: mediawiki new security issues fixed upstream in 1.35.11
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: mediawiki-1.35.10-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-07-06 18:16:29 CEST 
Upstream has announced version 1.35.11 on June 30:
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/

Debian has issued an advisory for this on July 5:
https://www.debian.org/security/2023/dsa-5447

Updated packages uploaded for Mageia 8 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n (CVE-2023-29197).

Manualthumb bypasses badFile lookup (CVE-2023-36674).

XSS in BlockLogFormatter due to unsafe message use (CVE-2023-36675).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36675
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.35.11-1.mga8
mediawiki-mysql-1.35.11-1.mga8
mediawiki-pgsql-1.35.11-1.mga8
mediawiki-sqlite-1.35.11-1.mga8

from mediawiki-1.35.11-1.mga8.src.rpm
David Walser 2023-07-06 18:16:37 CEST

Whiteboard: (none) => MGA8TOO

PC LX 2023-07-06 23:36:49 CEST

CC: (none) => mageia

Comment 1 PC LX 2023-07-07 12:25:57 CEST 
Installed and tested without regressions.

Using sqlite as this is a personal site with low load.

Had to change the apache configuration as reported in bug 27781 and also did some minor changes so that it is accessed only from the local network.



System: Mageia 8, x86_64.



# uname -a
Linux marte 6.1.34-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Wed Jun 14 19:14:11 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa | grep mediawiki
mediawiki-sqlite-1.35.11-1.mga8
mediawiki-1.35.11-1.mga8
Comment 2 David Walser 2023-07-12 20:08:05 CEST 
CC'ing sysadmin-bugs, still waiting for this to be moved in Cauldron.

CC: (none) => sysadmin-bugs

Comment 3 PC LX 2023-07-17 17:41:45 CEST 
This update has been working without issue for more than a week, in Mageia 8, so I'm giving it an OK.

It still needs the packages for cauldron and the corresponding testing.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 4 David Walser 2023-07-17 19:16:33 CEST 
It's still in updates_testing in Cauldron and needs to be moved.
Comment 5 David Walser 2023-07-21 15:08:39 CEST 
Moved in Cauldron.

Version: Cauldron => 8
Whiteboard: MGA8TOO MGA8-64-OK => MGA8-64-OK
CC: sysadmin-bugs => (none)

Comment 6 Thomas Andrews 2023-07-23 17:25:11 CEST 
Validating. Advisory in comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-07-24 20:24:32 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-07-27 00:09:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0241.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED