Upstream will release version 1.23.1 today: http://openwall.com/lists/oss-security/2014/06/25/4 We'll upgrade to this LTS version for Mageia 3 and Mageia 4 as well. The mediawiki-ldapauthentication and mediawiki-math packages will be updated as well (already done in Cauldron). Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
The updated releases have been announced: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html I'm not sure if they'll get a CVE: http://openwall.com/lists/oss-security/2014/06/26/1 We'll see what happens with that. For now, the updated packages are built and uploaded and can be tested. Updated packages in core/updates_testing: ======================== mediawiki-1.23.1-1.mga3 mediawiki-mysql-1.23.1-1.mga3 mediawiki-pgsql-1.23.1-1.mga3 mediawiki-sqlite-1.23.1-1.mga3 mediawiki-ldapauthentication-2.1.0-1.mga3 mediawiki-math-1.2.0-1.mga3 mediawiki-1.23.1-1.mga4 mediawiki-mysql-1.23.1-1.mga4 mediawiki-pgsql-1.23.1-1.mga4 mediawiki-sqlite-1.23.1-1.mga4 mediawiki-ldapauthentication-2.1.0-1.mga4 mediawiki-math-1.2.0-1.mga4 from SRPMS: mediawiki-1.23.1-1.mga3.src.rpm mediawiki-ldapauthentication-2.1.0-1.mga3.src.rpm mediawiki-math-1.2.0-1.mga3.src.rpm mediawiki-1.23.1-1.mga4.src.rpm mediawiki-ldapauthentication-2.1.0-1.mga4.src.rpm mediawiki-math-1.2.0-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsSummary: mediawiki new security issues fixed upstream in 1.23.1 => mediawiki new security issue fixed upstream in 1.23.1Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Created attachment 5218 [details] mediawiki-math Tested on Mageia 3 & 4 for both i586 & x86_64 archs with instances for mysql, postgresql and sqlite. The mediawiki-ldapauthentication extension doesn't support sqlite, so tested that without ldap authentication. Mysql and postgresql are both supported by it, so tested them using ldap. The mediawiki-math extension work using mathjax and without it, but one of the new tools, texvccheck, was not compiled while building the package. It's a security tool that filters out any spam or other badness that may have been injected into the markup beforehand. The extention works without it, but there are complaints in the logs. I patched (this attachment) the spec, rebuilt and upgraded the package. No more compaints in the logs.
CC: (none) => warrendiogenese
Thanks! I fixed mediawiki-math. Now we have: mediawiki-math-1.2.0-1.1.mga3 mediawiki-math-1.2.0-1.1.mga4
That fixed mediawiki-math. No more errors in the logs. Testing complete. ------------------------------------------ Update validated. Thanks. Advisories: No CVE's or PoC at this time. See Comment #1 SRPMS: mediawiki-1.23.1-1.mga3.src.rpm mediawiki-ldapauthentication-2.1.0-1.mga3.src.rpm mediawiki-math-1.2.0-1.mga3.src.rpm mediawiki-1.23.1-1.mga4.src.rpm mediawiki-ldapauthentication-2.1.0-1.mga4.src.rpm mediawiki-math-1.2.0-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK
MITRE has contributed their two cents, so it really sounds like no CVE: http://openwall.com/lists/oss-security/2014/06/27/18 I hadn't actually made an advisory for this one yet. Advisory: -------- This update provides MediaWiki 1.23.1, which provides several new features and fixes a couple of minor bugs from 1.22.7. The MediaWiki 1.23 branch is a Long Term Support branch, so this update will provide a basis for more stability for this package in the future. The mediawiki-ldapauthentication and mediawiki-math packages have been updated to versions that are compatible with MediaWiki 1.23. References: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000152.html http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html
dropped security component. advisory added update pushed: http://advisories.mageia.org/MGAA-2014-0142.html
Status: NEW => RESOLVEDCC: (none) => tmbComponent: Security => RPM PackagesHardware: i586 => AllResolution: (none) => FIXEDWhiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory
URL: (none) => http://lwn.net/Vulnerabilities/604602/