Bug 12337 - mediawiki new security issues fixed in 1.22.1/1.22.2 (CVE-2013-6472, CVE-2013-6451, CVE-2013-6452, CVE-2013-6453, CVE-2014-1610)
Summary: mediawiki new security issues fixed in 1.22.1/1.22.2 (CVE-2013-6472, CVE-2013...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/584752/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3...
Keywords: validated_update
: 12339 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-01-17 14:11 CET by Oden Eriksson
Modified: 2014-03-06 14:33 CET (History)
9 users (show)

See Also:
Source RPM: mediawiki-1.20.8-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description Oden Eriksson 2014-01-17 14:11:53 CET
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html

I would like to announce the release of MediaWiki 1.22.1, 1.21.4 and
1.19.10.
These releases fix a number of security related bugs that could affect
users of
MediaWiki. In addition, MediaWiki 1.22.1 is a maintenance release. It fixes
several bugs. You can consult the RELEASE-NOTES-1.22 file for the full list
of
changes in this version. Download links are given at the end of this email.


== Security fixes ==

* MediaWiki user Michael M reported that the fix for bug 55332
(CVE-2013-4568)
allowed insertion of escaped CSS values which could pass the CSS validation
checks, resulting in XSS. (CVE-2013-6451)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=58088>

* Chris from RationalWiki reported that SVG files could be uploaded that
include external stylesheets, which could lead to XSS when an XSL was used
to
include JavaScript. (CVE-2013-6452)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=57550>

* During internal review, it was discovered that MediaWiki's SVG
sanitization
could be bypassed when the XML was considered invalid. (CVE-2013-6453)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=58553>

* Durign internal review, it was discovered that MediaWiki's CSS
sanitization
did not filter -o-link attributes, which could be used to execute
JavaScript in
Opera 12. (CVE-2013-6454)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=58472>

* During internal review, it was discovered that MediaWiki displayed some
information about deleted pages in the log API, enhanced RecentChanges, and
user watchlists. (CVE-2013-6472)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=58699> 

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2014-01-17 14:13:58 CET
http://www.mediawiki.org/wiki/Download

"Attention To MediaWiki ⤠1.18.x and 1.20.x users: Support of these branches was discontinued. Please update to a newer version of MediaWiki:

    MediaWiki 1.22.1 (download) - stable
    MediaWiki 1.21.4 (download) - legacy
    MediaWiki 1.19.10 (download) - legacy lts"
Comment 2 David Walser 2014-01-17 14:49:59 CET
As I explained in a previous bug, it's time for us to upgrade to 1.22.x, as 1.20.x is now EOL:
https://bugs.mageia.org/show_bug.cgi?id=3448#c14

CC: (none) => luigiwalser
Version: 3 => Cauldron
Summary: multiple vulnerabilities in mediawiki (CVE-2013-6472, CVE-2013-6451, CVE-2013-6452, CVE-2013-6453) => mediawiki new security issues fixed in 1.22.1 (CVE-2013-6472, CVE-2013-6451, CVE-2013-6452, CVE-2013-6453)
Source RPM: mediawiki => mediawiki-1.20.8-1.mga4.src.rpm
Whiteboard: (none) => MGA3TOO

Comment 3 David Walser 2014-01-17 14:52:52 CET
*** Bug 12339 has been marked as a duplicate of this bug. ***
David Walser 2014-02-06 00:38:50 CET

Whiteboard: MGA3TOO => MGA4TOO, MGA3TOO

Comment 4 David Walser 2014-02-06 01:21:45 CET
Additionally we now also have:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html

I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and
1.19.11.

Your MediaWiki installation is affected by a remote code execution
vulnerability if you have enabled file upload support for DjVu (natively
supported by MediaWiki) or PDF files (in combination with the PdfHandler
extension). Neither file type is enabled by default in MediaWiki
installations. If you are affected, we strongly urge you to update
immediately.

Affected supported versions: All

== Security fixes ==

* Netanel Rubin from Check Point discovered a remote code execution
vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
review also discovered similar logic in the PdfHandler extension, which
could be exploited in a similar way. (CVE-2014-1610)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=60339>

Summary: mediawiki new security issues fixed in 1.22.1 (CVE-2013-6472, CVE-2013-6451, CVE-2013-6452, CVE-2013-6453) => mediawiki new security issues fixed in 1.22.1/1.22.2 (CVE-2013-6472, CVE-2013-6451, CVE-2013-6452, CVE-2013-6453, CVE-2014-1610)

Comment 5 David Walser 2014-02-06 01:35:56 CET
I've updated this in SVN with some help from diogenese.

We'll need to update mediawiki-math and mediawiki-ldapauthentication with these like we did in Bug 3448.  I've also committed those updates to SVN.

CC: (none) => warrendiogenese

Comment 6 David Walser 2014-02-06 19:06:34 CET
I built this locally on Mageia 3 and upgraded my wiki server at work (mediawiki, mediawiki-mysql, and mediawiki-ldapauthentication) and trying to connect to the main /mediawiki/ page in a browser I just get a database error.  There's nothing helpful in /var/log/httpd, so I don't know how to fix this.  (our server's fine since I reverted it back)
Comment 7 David Walser 2014-02-06 22:27:22 CET
Simon Parsons alerted me to this:
http://www.mediawiki.org/wiki/Manual:Update.php

So I ran "php /usr/share/mediawiki/maintenance/update.php" and everything worked!

I suppose this was probably the case when we update Mageia 2 from mediawiki 1.16 to 1.19, but nobody tested upgrades.

I guess we should just add a note in the advisory about this, as running the command automatically from the package scriplets could be dangerous (not to mention the fact that it runs semi-interactively).

CC: (none) => gm4nzg

Comment 8 David Walser 2014-02-06 22:45:57 CET
The mediawiki-updateall command run in %post actually is supposed to run update.php, but it relies on the the /etc/mediawiki/instances file being correctly populated, which it isn't.  Hopefully someone can fix all that stuff at some point.

I've fixed some issues in Cauldron (will also fix in Mageia 4) with this update, where the %pretrans code wasn't quite working properly upon updating the package, if it had already been run once before.  Luckily nobody should actually get hit by this bug.
Comment 9 David Walser 2014-02-06 23:17:20 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed
insertion of escaped CSS values which could pass the CSS validation checks,
resulting in XSS (CVE-2013-6451).

Chris from RationalWiki reported that SVG files could be uploaded that
include external stylesheets, which could lead to XSS when an XSL was used
to include JavaScript (CVE-2013-6452).

During internal review, it was discovered that MediaWiki's SVG sanitization
could be bypassed when the XML was considered invalid (CVE-2013-6453).

During internal review, it was discovered that MediaWiki displayed some
information about deleted pages in the log API, enhanced RecentChanges, and
user watchlists (CVE-2013-6472).

Netanel Rubin from Check Point discovered a remote code execution
vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
review also discovered similar logic in the PdfHandler extension, which
could be exploited in a similar way (CVE-2014-1610).

MediaWiki has been updated to version 1.22.2, which fixes these issues, as
well as several others.

Also, the mediawiki-ldapauthentication and mediawiki-math extensions have
been updated to newer versions that are compatible with MediaWiki 1.22.

Note: if you are upgrading from an existing MediaWiki 1.20 installation, you
will need to run the following command (which requires the php-cli package
to be installed) after installing the update:
php /usr/share/mediawiki/maintenance/update.php

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1610
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
http://www.mediawiki.org/wiki/Manual:Update.php
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.22.2-1.mga3
mediawiki-mysql-1.22.2-1.mga3
mediawiki-pgsql-1.22.2-1.mga3
mediawiki-sqlite-1.22.2-1.mga3
mediawiki-ldapauthentication-2.0f-1.mga3
mediawiki-math-1.1-1.mga3
mediawiki-1.22.2-1.mga4
mediawiki-mysql-1.22.2-1.mga4
mediawiki-pgsql-1.22.2-1.mga4
mediawiki-sqlite-1.22.2-1.mga4
mediawiki-ldapauthentication-2.0f-1.mga4
mediawiki-math-1.1-1.mga4

from SRPMS:
mediawiki-1.22.2-1.mga3.src.rpm
mediawiki-ldapauthentication-2.0f-1.mga3.src.rpm
mediawiki-math-1.1-1.mga3.src.rpm
mediawiki-1.22.2-1.mga4.src.rpm
mediawiki-ldapauthentication-2.0f-1.mga4.src.rpm
mediawiki-math-1.1-1.mga4.src.rpm

URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html => (none)
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 10 David Walser 2014-02-07 17:10:31 CET
Fedora has issued advisories for this on January 15 and January 30:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127027.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.html

URL: (none) => http://lwn.net/Vulnerabilities/584752/

Comment 11 Samuel Verschelde 2014-02-10 19:07:06 CET
-----------------
Testing procedure
-----------------

This procedure yields if you have no existing mediawiki instance on your computer. Better to follow it in a VM. Note that it does not test all the mediawiki subpackages.

*** Phase 1, use mediawiki from the repos, but not the one from testing ***

We will create a new wiki.

# urpmi mediawiki --search-media

Then select one backend among mediawiki-{mysql,pgsql,sqlite}urpm

start apache: service httpd start
start mysql or postgresql if you chose that as a backend

Visit http://localhost/mediawiki/ and click the "setup the wiki first" link

Follow the instructions. Default answers are ok most of the time. Remember the name and password of the administrator user. At some point, it asks before continuing with more questions or stop here. I chose to stop there, do as you want.

Put the LocalSettings.php file they ask you to download in /etc/mediawiki/LocalSettings.php (as root)

When installation is complete, access your brand new wiki. Connect as the user you created.

Modify the starting page and add [[New page]] somewhere. Submit then follow that link to create your new page. Put some contents in it.


*** Phase 2, install the update candidate ***

# urpmi mediawiki --search-media "updates testing"

Go to http://localhost/mediawiki/ and check it works as before. Create a new page.


Now we will check that wiki creation still works. 

First delete your wiki : 
# rm /var/www/mediawiki -rf 
# rm /etc/mediawiki -rf

Note that this will remove not only your wiki but also some files from the installed RPM. To fix that:
# urpme mediawiki #(will give some error message, that's our fault, that's normal)
# urpmi mediawiki --search-media "updates testing".
Delete the database (if you chose mysql and called your database my_wiki : mysql -uroot, then drop database my_wiki;)

If someone has a better solution to remove an existing wiki, please improve the procedure :)

It's not totally removed yet, one last step: browse to 
http://localhost/mediawiki/mw-config/index.php?page=Restart&lastPage=Complete to make it restart the installation from 0.

Then repeat steps from phase 1 to create a new wiki and check it works.

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 12 Samuel Verschelde 2014-02-10 19:17:12 CET
Mageia 4, x86_64. I followed the procedure in comment #11. After installing the update candidate, the wiki I had created previously can't be accessed.

It gives the following error: "A database query error has occurred. This may indicate a bug in the software.". There's a bug, or there are additional steps to follow. If the latter is true, then the package should have told me right after the update (via README.urpmi or the like).

Also, the description for the mediawiki package is wrong:

-----
MediaWiki is the software used for Wikipedia and the other Wikimedia
Foundation websites. Compared to other wikis, it has an excellent
range of features and support for high-traffic websites using multiple
servers

This package includes math rendering support for mediawiki.
----

Lastly, neither the package description nor a README.urpmi explain where files are put and how to configure it on a Mageia system (that you don't have to run mediawiki_create, that LocalSettings.php is to be put in /etc/mediawiki/, that you probably can run only one instance at a time) and I haven't found documentation either (or didn't know where to look).

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure feedback

Comment 13 David Walser 2014-02-10 19:17:53 CET
Just an addendum to Samuel's testing procedure, if you're going to test upgrading an existing installation, make sure you make note of the note in the advisory and run the upgrade script after installing the new package.
David Walser 2014-02-10 19:18:02 CET

Whiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure

Comment 14 David Walser 2014-02-10 19:19:56 CET
Yes, documentation in this package could be improved, but unless it gets a new maintainer or someone submits a patch, this won't happen.  Fortunately, the packages are functional.
Comment 15 Samuel Verschelde 2014-02-10 19:25:52 CET
Adding a README.urpmi would be easy, maybe a brutal solution but at least it gets some attention from users updating.
Comment 16 claire robinson 2014-02-10 19:32:58 CET
I agree with Samuel. Our updates should be hands-off where possible but if extra steps are needed this should be noted in a README.update.urpmi.

We can create a separate bug for the other documentation if it's really necessary.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure feedback

Comment 17 V P 2014-02-17 08:30:13 CET
Hello, please don't let this bug die. I'm waiting for the update since end January.

CC: (none) => yohonet

Comment 18 David Walser 2014-02-26 20:47:39 CET
The mediawiki package now runs the php maintenance script in %post automatically.

The instances feature has been removed.

mediawiki-graphviz has been obsoleted.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed
insertion of escaped CSS values which could pass the CSS validation checks,
resulting in XSS (CVE-2013-6451).

Chris from RationalWiki reported that SVG files could be uploaded that
include external stylesheets, which could lead to XSS when an XSL was used
to include JavaScript (CVE-2013-6452).

During internal review, it was discovered that MediaWiki's SVG sanitization
could be bypassed when the XML was considered invalid (CVE-2013-6453).

During internal review, it was discovered that MediaWiki displayed some
information about deleted pages in the log API, enhanced RecentChanges, and
user watchlists (CVE-2013-6472).

Netanel Rubin from Check Point discovered a remote code execution
vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
review also discovered similar logic in the PdfHandler extension, which
could be exploited in a similar way (CVE-2014-1610).

MediaWiki has been updated to version 1.22.2, which fixes these issues, as
well as several others.

Also, the mediawiki-ldapauthentication and mediawiki-math extensions have
been updated to newer versions that are compatible with MediaWiki 1.22.

Additionally, the mediawiki-graphviz extension has been obsoleted, due to
the fact that it is unmaintained upstream and is vulnerable to cross-site
scripting attacks.

Note: if you were using the "instances" feature in these packages to
support multiple wiki instances, this feature has now been removed.  You
will need to maintain separate wiki instances manually.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1610
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127027.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.html
www.mediawiki.org/wiki/Extension:GraphViz
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.22.2-1.1.mga3
mediawiki-mysql-1.22.2-1.1.mga3
mediawiki-pgsql-1.22.2-1.1.mga3
mediawiki-sqlite-1.22.2-1.1.mga3
mediawiki-ldapauthentication-2.0f-1.1.mga3
mediawiki-math-1.1-1.1.mga3
mediawiki-1.22.2-1.1.mga4
mediawiki-mysql-1.22.2-1.1.mga4
mediawiki-pgsql-1.22.2-1.1.mga4
mediawiki-sqlite-1.22.2-1.1.mga4
mediawiki-ldapauthentication-2.0f-1.1.mga4
mediawiki-math-1.1-1.1.mga4

from SRPMS:
mediawiki-1.22.2-1.1.mga3.src.rpm
mediawiki-ldapauthentication-2.0f-1.1.mga3.src.rpm
mediawiki-math-1.1-1.1.mga3.src.rpm
mediawiki-1.22.2-1.1.mga4.src.rpm
mediawiki-ldapauthentication-2.0f-1.1.mga4.src.rpm
mediawiki-math-1.1-1.1.mga4.src.rpm

Whiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure

Comment 19 David Walser 2014-02-26 20:49:18 CET
Fixing copy-paste error in advisory.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed
insertion of escaped CSS values which could pass the CSS validation checks,
resulting in XSS (CVE-2013-6451).

Chris from RationalWiki reported that SVG files could be uploaded that
include external stylesheets, which could lead to XSS when an XSL was used
to include JavaScript (CVE-2013-6452).

During internal review, it was discovered that MediaWiki's SVG sanitization
could be bypassed when the XML was considered invalid (CVE-2013-6453).

During internal review, it was discovered that MediaWiki displayed some
information about deleted pages in the log API, enhanced RecentChanges, and
user watchlists (CVE-2013-6472).

Netanel Rubin from Check Point discovered a remote code execution
vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
review also discovered similar logic in the PdfHandler extension, which
could be exploited in a similar way (CVE-2014-1610).

MediaWiki has been updated to version 1.22.2, which fixes these issues, as
well as several others.

Also, the mediawiki-ldapauthentication and mediawiki-math extensions have
been updated to newer versions that are compatible with MediaWiki 1.22.

Additionally, the mediawiki-graphviz extension has been obsoleted, due to
the fact that it is unmaintained upstream and is vulnerable to cross-site
scripting attacks.

Note: if you were using the "instances" feature in these packages to
support multiple wiki instances, this feature has now been removed.  You
will need to maintain separate wiki instances manually.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1610
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127027.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.html
http://www.mediawiki.org/wiki/Extension:GraphViz
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.22.2-1.1.mga3
mediawiki-mysql-1.22.2-1.1.mga3
mediawiki-pgsql-1.22.2-1.1.mga3
mediawiki-sqlite-1.22.2-1.1.mga3
mediawiki-ldapauthentication-2.0f-1.1.mga3
mediawiki-math-1.1-1.1.mga3
mediawiki-1.22.2-1.1.mga4
mediawiki-mysql-1.22.2-1.1.mga4
mediawiki-pgsql-1.22.2-1.1.mga4
mediawiki-sqlite-1.22.2-1.1.mga4
mediawiki-ldapauthentication-2.0f-1.1.mga4
mediawiki-math-1.1-1.1.mga4

from SRPMS:
mediawiki-1.22.2-1.1.mga3.src.rpm
mediawiki-ldapauthentication-2.0f-1.1.mga3.src.rpm
mediawiki-math-1.1-1.1.mga3.src.rpm
mediawiki-1.22.2-1.1.mga4.src.rpm
mediawiki-ldapauthentication-2.0f-1.1.mga4.src.rpm
mediawiki-math-1.1-1.1.mga4.src.rpm

Severity: normal => major

Comment 20 David Walser 2014-02-27 20:47:14 CET
Packages installed and working fine on my production wiki server at work (Mageia 3 i586).
Comment 21 Thomas Backlund 2014-02-28 15:47:48 CET
Seems more possible CVEs got squashed in 1.22.3

http://seclists.org/oss-sec/2014/q1/454

CC: (none) => tmb

Comment 22 David Walser 2014-02-28 16:57:26 CET
(In reply to Thomas Backlund from comment #21)
> Seems more possible CVEs got squashed in 1.22.3
> 
> http://seclists.org/oss-sec/2014/q1/454

Yes I know, but I'd still like to have this tested.  I'll deal with 1.22.3 next week maybe.
Comment 23 Carolyn Rowse 2014-03-01 09:20:33 CET
Testing 32-bit Mga3 and Mga4.

CC: (none) => isolde

Comment 24 Carolyn Rowse 2014-03-01 10:30:44 CET
Well with Mga3 I can't connect to Mysql, I get the following error message:

ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
Comment 25 David Walser 2014-03-01 15:13:30 CET
Is mariadb installed and mysqld.service running?
Comment 26 Marc Lattemann 2014-03-01 18:47:23 CET
works fine here (MGA 32bit) with mysql database: 
- Installed mariadb
- Installed mediawiki from core
- Generated wiki
- Update it with mediawiki from update testing
- mediawiki-updater runs automatically after urpmi-installation
- wiki still works
- removed LocalSetting.php and generated wiki new from updated package
- newly created wiki works fine

will now test sqlite, and postgres. Is it necessary to test entire creation of other components for (e.g. bugzilla) for all different database types?

CC: (none) => marc.lattemann

Comment 27 David Walser 2014-03-01 19:51:59 CET
Thanks Marc!  Which Mageia version did you test on (3 or 4)?

The testing you've done is certainly sufficient for testing the update.  Any additional testing you do wouldn't hurt, and if you find any issues we can hopefully address them later.  The mediawiki-bugzilla package in Mageia isn't really maintained and I don't know anything about it.
Comment 28 Marc Lattemann 2014-03-01 21:14:38 CET
oh sorry, was MGA3 32bit.

However trying to install fresh with sqlite, the mediawiki installer does not run.
'Could not find a suitable database driver!'

installed is:
[root@MGA3_32bit share]# rpm -qa | grep sqlite
sqlite3-tools-3.7.17-1.mga3
libsqlite3_0-3.7.17-1.mga3
php-sqlite3-5.4.23-1.mga3
x2goserver-sqlite-4.0.0.0-2.mga3
mediawiki-sqlite-1.20.8-1.mga3

It seems it does not recognized the php-sqlite3? Or is there any other package missing?


And furthermore testing the mediawiki-postgresql fails right now due to my limited postgresql knowledge (can't get the server running - but I keep trying...)
Comment 29 David Walser 2014-03-01 21:26:29 CET
(In reply to Marc Lattemann from comment #28)
> It seems it does not recognized the php-sqlite3? Or is there any other
> package missing?

I think Claire said it needs php-pdo-sqlite for that.
Comment 30 Marc Lattemann 2014-03-02 02:26:49 CET
missing package was preludedb-sqlite3

Should I create new report because of missing dependency?

However same test as in #26 works in MGA3 32bit with SQLite database, so this part tested successfully as well. Next part postgresql...
Comment 31 David Walser 2014-03-02 02:41:30 CET
(In reply to Marc Lattemann from comment #30)
> missing package was preludedb-sqlite3
> 
> Should I create new report because of missing dependency?

No, if there's something that needs to be added I can do it in the next update, but I don't understand how preludedb-sqlite3 could possibly be required.
Comment 32 Marc Lattemann 2014-03-02 12:47:29 CET
using same procedure as in comment #26 installation and upgrading mediawiki with postgresql database works as expected in mga3 32bit

Testing for mga3 32bit completed. Going on with mga3 64bit...

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK

Comment 33 Marc Lattemann 2014-03-02 14:01:12 CET
testing completed for MAG3 64bit for sqlite, mysql and postgresql. Update as well as new creation of wiki works...

(In reply to David Walser from comment #31)
> (In reply to Marc Lattemann from comment #30)
> > missing package was preludedb-sqlite3

>  but I don't understand how preludedb-sqlite3 could possibly be
> required.

David, you're absolutely correct: preludedb-sqlite3 is not needed, but you have to restart httpd.service after installation of php-pdo_sqlite to get mediawiki with sqlite running.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK

Comment 34 Marc Lattemann 2014-03-02 15:22:55 CET
testing completed for MAG4 64bit for sqlite, mysql and postgresql. Update as well as new creation of wiki works...

works at least with postgresql9.2 server but not with 9.3 due to: https://bugs.mageia.org/show_bug.cgi?id=12337

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK

Comment 35 David Walser 2014-03-02 15:39:23 CET
(In reply to Marc Lattemann from comment #34)
> works at least with postgresql9.2 server but not with 9.3 due to:
> https://bugs.mageia.org/show_bug.cgi?id=12337

That's this bug...
Comment 36 Marc Lattemann 2014-03-02 16:04:05 CET
damn, I need a preview-function - sorry, here is the correct link: https://bugs.mageia.org/show_bug.cgi?id=12782
Comment 37 Marc Lattemann 2014-03-02 16:41:44 CET
testing completed for MAG4 32bit for sqlite, mysql and postgresql. Update as well as new creation of wiki works...

ready for validating: advisory needs to be uploaded?

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK

Comment 38 Thomas Backlund 2014-03-02 21:29:58 CET
Advisoey uploaded, validating

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 39 Thomas Backlund 2014-03-02 22:01:03 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0113.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 40 David Walser 2014-03-03 19:10:15 CET
LWN reference for the issues fixed in 1.22.1, which LWN previously missed:
http://lwn.net/Vulnerabilities/589095/
Comment 41 V P 2014-03-06 12:18:59 CET
(In reply to Carolyn Rowse from comment #24)
> Well with Mga3 I can't connect to Mysql, I get the following error message:
> 
> ERROR 2002 (HY000): Can't connect to local MySQL server through socket
> '/var/lib/mysql/mysql.sock' (2)

Got the same error. I actually found I modified some things from the mediawiki package manually, so put the blame on me.

I made several things, so can't point at the exact problem but if somebody get the same error, check the following :
1) /etc/mediawiki/LocalSettings.php must exist (it was present in /var/www/mediawiki/ in my case)
2) Check symlinks in /var/www/mediawiki and /usr/share/mediawiki are not broken
3) Remove /etc/httpd/conf/sites.d/mediawiki.conf, remove the mediawiki package and reinstall the mediawiki package: this will install the correct config file. In my case, it also launched an upgrade process which, for some reason, did not run when I first updated mediawiki package.
Comment 42 David Walser 2014-03-06 14:33:21 CET
(In reply to V P from comment #41)
> Got the same error. I actually found I modified some things from the
> mediawiki package manually, so put the blame on me.
> 
> I made several things, so can't point at the exact problem but if somebody
> get the same error, check the following :
> 1) /etc/mediawiki/LocalSettings.php must exist (it was present in
> /var/www/mediawiki/ in my case)

Yep, /etc/mediawiki is the correct place to store that file.

> 2) Check symlinks in /var/www/mediawiki and /usr/share/mediawiki are not
> broken

#2 could have been my fault.  Some previous versions of the package had bugs in the scriplets that messed up the symlinks.  I've since fixed that.

> 3) Remove /etc/httpd/conf/sites.d/mediawiki.conf, remove the mediawiki
> package and reinstall the mediawiki package: this will install the correct
> config file. In my case, it also launched an upgrade process which, for some
> reason, did not run when I first updated mediawiki package.

The first update candidate I posted for this didn't run the upgrade script, the second one (the one we actually released) did.

BTW, we're testing an update to 1.22.3 now (Bug 12931), feel free to help test it.

Note You need to log in before you can comment on or make changes to this bug.