Fedora has issued an advisory on May 30: https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107961.html The issue is fixed upstream in 1.20.6. Updated packages uploaded for Mageia 3 and Cauldron. I have also fixed a couple other issues I found in the package, noted here: https://bugs.mageia.org/show_bug.cgi?id=3448#c31 https://bugs.mageia.org/show_bug.cgi?id=3448#c34 I added the suhosin setting and changed the access restrictions so that when you install the package, /mediawiki itself should be accessible from a remote host, but the installer should only be accessible from localhost. I did not move LocalSettings.php or extensions out of /usr/share/mediawiki in the Mageia 3 package. Since all useful extensions should really be packaged anyway, I decided it wasn't necessary to move extensions. In the Cauldron package I did move LocalSettings.php to /etc/mediawiki and the "images" file uploads directory to /var/www/mediawiki. I considered these changes to not be appropriate for the stable release at this time. I also updated the LdapAuthentication extension package to a version meant for MediaWiki 1.20 (rather than the current one, which is for 1.19). I'll file a separate bug for that. Note: the security issue is upstream bug 48306. Advisory: ======================== Updated mediawiki packages fix security vulnerability: MediaWiki user Marco discovered that security checks for file uploads were not being run when the file was uploaded in chunks through the API. This option has been available to users who can upload files since MediaWiki 1.19 (CVE-2013-2114). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2114 http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-May/000131.html https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.6 ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.20.6-1.1.mga3 mediawiki-mysql-1.20.6-1.1.mga3 mediawiki-pgsql-1.20.6-1.1.mga3 mediawiki-sqlite-1.20.6-1.1.mga3 from mediawiki-1.20.6-1.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Bug 10785 filed for the mediawiki-ldapauthentication update.
Blocks: (none) => 3448
This one need to obsolete mediawiki-renameuser to prowide clean upgrades see: https://bugs.mageia.org/show_bug.cgi?id=10785 and: https://bugs.mageia.org/show_bug.cgi?id=10794
CC: (none) => tmb
Thanks Thomas, I saw your note on 10794. Fixed now. Advisory: ======================== Updated mediawiki packages fix security vulnerability: MediaWiki user Marco discovered that security checks for file uploads were not being run when the file was uploaded in chunks through the API. This option has been available to users who can upload files since MediaWiki 1.19 (CVE-2013-2114). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2114 http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-May/000131.html https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.6 ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.20.6-1.2.mga3 mediawiki-mysql-1.20.6-1.2.mga3 mediawiki-pgsql-1.20.6-1.2.mga3 mediawiki-sqlite-1.20.6-1.2.mga3 from mediawiki-1.20.6-1.2.mga3.src.rpm
Advisory uploaded, and testing complete on Mageia 3 i586. I'll test x86_64 shortly.
CC: (none) => davidwhodginsWhiteboard: (none) => MGA3-32-OK
Testing complete on Mageia 3 x86_64. For both tests, installed and setup mediawiki, created a wiki page, then installed the update, and created another page. Could someone from the sysadmin team push 10784.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA3-32-OK => MGA3-32-OK MGA3-64-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0221.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)