Upstream has announced version 1.23.7 on November 27: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html I haven't seen any CVE requests. Freeze push requested for Cauldron. The update is committed in SVN for Mageia 4. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Updated packages uploaded for Mageia 4 and Cauldron. Testing procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki The advisory may be updated again later if CVEs show up. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: This update provides MediaWiki 1.23.7, which fixes several potential security issues and other bugs. See the upstream announcement for details. References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.23.7-1.mga3 mediawiki-mysql-1.23.7-1.mga3 mediawiki-pgsql-1.23.7-1.mga3 mediawiki-sqlite-1.23.7-1.mga3 mediawiki-1.23.7-1.mga4 mediawiki-mysql-1.23.7-1.mga4 mediawiki-pgsql-1.23.7-1.mga4 mediawiki-sqlite-1.23.7-1.mga4 from SRPMS: mediawiki-1.23.7-1.mga3.src.rpm mediawiki-1.23.7-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO => has_procedure
Working fine on our production wiki at work, Mageia 4 i586.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Oops, just updating Mageia 4 this time. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: This update provides MediaWiki 1.23.7, which fixes several potential security issues and other bugs. See the upstream announcement for details. References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.23.7-1.mga4 mediawiki-mysql-1.23.7-1.mga4 mediawiki-pgsql-1.23.7-1.mga4 mediawiki-sqlite-1.23.7-1.mga4 from mediawiki-1.23.7-1.mga4.src.rpm
Testing on Mageia4x64 real hardware Following procedure mentioned in Comment 1 From current packages : mediawiki-1.23.6-1.mga4 mediawiki-mysql-1.23.6-1.mga4 To updated testing packages : mediawiki-1.23.7-1.mga4 mediawiki-mysql-1.23.7-1.mga4 Installation OK, updating OK, connecting to previous installation OK, new installation OK, basic mediawiki usage OK
CC: (none) => olchalWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0506.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE request: http://openwall.com/lists/oss-security/2014/12/03/9
CVEs have been assigned: http://openwall.com/lists/oss-security/2014/12/04/16 Could someone please update the advisory in SVN? Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.7, a missing CSRF check could allow reflected XSS on wikis that allow raw HTML (CVE-2014-9276). MediaWiki's <cross-domain-policy> mangling, in MediaWiki before 1.23.7, could allow an article editor to inject code into API consumers that blindly unserialize PHP representations of the page from the API (CVE-2014-9277). This update provides MediaWiki 1.23.7, which fixes these security issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9277 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html http://openwall.com/lists/oss-security/2014/12/04/16
URL: (none) => http://lwn.net/Vulnerabilities/624612/
Advisory updated.
CC: (none) => remi
LWN reference for the other security issues fixed in 1.23.7: http://lwn.net/Vulnerabilities/626061/