18513 – mediawiki new security issues fixed upstream in 1.23.14

Bug 18513 - mediawiki new security issues fixed upstream in 1.23.14

Summary: mediawiki new security issues fixed upstream in 1.23.14

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/689273/
Whiteboard:	has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-05-23 04:55 CEST by David Walser
Modified:	2016-06-01 13:31 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	mediawiki-1.23.12-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-05-23 04:55:53 CEST

Upstream has announced version 1.23.14 on May 20:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html

A bugfix release, 1.23.13, has also been released since our last update:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000187.html

I haven't yet seen any CVE requests.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory to come later.  For now, see the upstream announcement.

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Updated packages in core/updates_testing:
========================
mediawiki-1.23.14-1.mga5
mediawiki-mysql-1.23.14-1.mga5
mediawiki-pgsql-1.23.14-1.mga5
mediawiki-sqlite-1.23.14-1.mga5

from mediawiki-1.23.14-1.mga5.src.rpm

David Walser 2016-05-23 04:56:36 CEST

Whiteboard: (none) => has_procedure

Comment 1 David Walser 2016-05-23 19:44:58 CEST

Working fine on our production wiki at work, Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 2 David Walser 2016-05-23 19:46:18 CEST

Assuming no CVEs come our way soon, here's a generic advisory we can use.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

The mediawiki package has been updated to version 1.23.14, which fixes
multiple security issues and other bugs.  See the release announcements for
more details.

References:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000187.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html

Comment 3 Lewis Smith 2016-05-23 22:10:07 CEST

Wanting to test M5 x64
The mirror must be playing up. With Updates Testing repos enabled, MCC/Update System takes about 20m to show its list - and the MediaWiki entries are 1.23.13-1.mga5, not 1.23.14-1.mga5 as in Comment 0.
Will re-try tomorrow.

CC: (none) => lewyssmith

Comment 4 David Walser 2016-05-23 22:19:44 CEST

There are some mirroring issues afoot.  Apparently distrib-coffee is busted (and it's a Tier 1 mirror many others sync with), so you may need to try a different mirror.

Comment 5 Lewis Smith 2016-05-24 21:32:48 CEST

Testing M5 x64 with PostgreSQL: OK

Updated installed MediaWiki to:
 mediawiki-1.23.14-1.mga5
 mediawiki-pgsql-1.23.14-1.mga5
 mediawiki-mysql-1.23.14-1.mga5
Used it a little with Firefox, created/previewed/edited a new page. All seems OK.

Validating; advisory in Comment 2 to upload.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-05-27 13:58:50 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 6 Mageia Robot 2016-05-29 15:56:04 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0210.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-06-01 13:31:37 CEST

URL: (none) => http://lwn.net/Vulnerabilities/689273/

Note You need to log in before you can comment on or make changes to this bug.