Upstream has announced version 1.23.8 on December 17: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html CVE request: http://www.openwall.com/lists/oss-security/2014/12/21/2 Freeze push requested for Cauldron. Updated package uploaded for Mageia 4. Advisory to come later once CVEs are assigned. Updated packages in core/updates_testing: ======================== mediawiki-1.23.8-1.mga4 mediawiki-mysql-1.23.8-1.mga4 mediawiki-pgsql-1.23.8-1.mga4 mediawiki-sqlite-1.23.8-1.mga4 from mediawiki-1.23.8-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki
Whiteboard: (none) => has_procedure
MGA4-64 on HP Probook 6555b Followed procedure as in Comment 1 (I did not create a wiki with the old packages) and did create a new wiki, edited the starting page end added a second page.
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA4-64-OK
I used the Postgres backend.
MGA4-32 on Acer D620 Followed procedure as in Comment 1 (I did not create a wiki with the old packages), used Postgres as backend. I created a new wiki, edited the starting page end added a second page.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA-32-OK
Whiteboard: has_procedure MGA4-64-OK MGA-32-OK => has_procedure MGA4-64-OK MGA4-32-OK
Need an advisory for this one please David.
Still no CVE assignments. Debian has issued an advisory for the first of the two issues on December 23: https://www.debian.org/security/2014/dsa-3110 Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.8, thumb.php outputs wikitext message as raw HTML, which could lead to cross-site scripting. Permission to edit MediaWiki namespace is required to exploit this. In MediaWiki before 1.23.8, a malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
URL: (none) => http://lwn.net/Vulnerabilities/627588/
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0555.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
MITRE has finally assigned CVEs: http://openwall.com/lists/oss-security/2015/01/03/13 Could someone update the advisory in SVN? Thanks. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.8, thumb.php outputs wikitext message as raw HTML, which could lead to cross-site scripting. Permission to edit MediaWiki namespace is required to exploit this (CVE-2014-9475). In MediaWiki before 1.23.8, a malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name (CVE-2014-9476). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9476 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html http://openwall.com/lists/oss-security/2015/01/03/13
LWN reference containing both issues: http://lwn.net/Vulnerabilities/628835/