Upstream has announced version 1.23.11 on October 16: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html CVEs have been requested: http://openwall.com/lists/oss-security/2015/10/19/8 Updated packages uploaded for Mageia 5 and Cauldron. Advisory to come later one CVEs are assigned. For now, see the upstream announcement. Testing procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki Updated packages in core/updates_testing: ======================== mediawiki-1.23.11-1.mga5 mediawiki-mysql-1.23.11-1.mga5 mediawiki-pgsql-1.23.11-1.mga5 mediawiki-sqlite-1.23.11-1.mga5 from mediawiki-1.23.11-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => has_procedure
Working fine on our production Wiki at work, Mageia 5 i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Testing Mag5 x64 with PostgreSQL database. Getting that working was some pain, not because it was difficult (it was easy), but finding the necessary information; I added relevant notes to the wiki page: https://wiki.mageia.org/en/QA_procedure:Mediawiki BEFORE update: Installed from normal repos: mediawiki-1.23.10-1.mga5 mediawiki-mysql-1.23.10-1.mga5 mediawiki-pgsql-1.23.10-1.mga5 (The Mysql addition got pulled in anyway with MediaWiki itself). Used it just enough to see that it worked. AFTER update to: mediawiki-1.23.11-1.mga5 mediawiki-mysql-1.23.11-1.mga5 mediawiki-pgsql-1.23.11-1.mga5 No problems en route. Confirmed that it still seems to function OK.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CVE-2015-8001 through CVE-2015-8009 assigned: http://openwall.com/lists/oss-security/2015/10/29/14 Advisory to come soon.
Summary: mediawiki new security issues fixed upstream in 1.23.11 => mediawiki new security issues fixed upstream in 1.23.11 (CVE-2015-800[1-9])
CVE-2015-8006 through CVE-2015-8009 were for non-bundled extensions. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.11, the API failed to correctly stop adding new chunks to the upload when the reported size was exceeded, allowing a malicious user to upload add an infinite number of chunks for a single file upload (CVE-2015-8001). In MediaWiki before 1.23.11, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (CVE-2015-8002). In MediaWiki before 1.23.11, it is not possible to throttle file uploads, or in other words, rate limit them (CVE-2015-8003). In MediaWiki before 1.23.11, a missing authorization check when removing suppression from a revision allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions (CVE-2015-8004). In MediaWiki before 1.23.11, thumbnails of PNG files generated with ImageMagick contained the local file path in the image (CVE-2015-8005). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8002 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8003 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8004 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8005 https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html http://openwall.com/lists/oss-security/2015/10/29/14
Summary: mediawiki new security issues fixed upstream in 1.23.11 (CVE-2015-800[1-9]) => mediawiki new security issues fixed upstream in 1.23.11 (CVE-2015-800[1-5])
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0421.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/662906/