https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html

* (T128209) Reflected File Download from api.php. Reported by Abdullah Hussam. (CVE-2017-8809)
* (T165846) BotPasswords doesn't throttle login attempts.
* (T134100) On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password. (CVE-2017-8810)
* (T178451) XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping. (CVE-2017-8808)
* (T176247) It's possible to mangle HTML via raw message parameter expansion.(CVE-2017-8811)
* (T125163) id attribute on headlines allow raw >. (CVE-2017-8812)
* (T124404) language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition. (CVE-2017-8814)
* (T119158) Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815)

CVE: (none) => CVE-2017-8808, CVE-2017-8809, CVE-2017-8810, CVE-2017-8811, CVE-2017-8812, CVE-2017-8814, CVE-2017-8815

Created attachment 9794 [details]
mgarepo update MediaWiki to 1.27.4

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

XSS when $wgShowExceptionDetails = false and browser sends non-standard url
escaping (CVE-2017-8808).

Reflected File Download from api.php (CVE-2017-8809).

On private wikis, login form shouldn't distinguish between login failure due
to bad username and bad password (CVE-2017-8810).

It's possible to mangle HTML via raw message parameter expansion
(CVE-2017-8811).

The id attribute on headlines allow raw > (CVE-2017-8812).

Language converter can be tricked into replacing text inside tags by adding a
lot of junk after the rule definition (CVE-2017-8814).

Language converter: unsafe attribute injection via glossary rules
(CVE-2017-8815).

composer.json has require-dev versions of PHPUnit with known security issues
(CVE-2017-9841).

Note that MediaWiki 1.23.x on Mageia 5 is no longer supported.  Those using
the mediawiki package on Mageia 5 should upgrade to Mageia 6.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8809
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8811
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.27.4-1.mga6
mediawiki-mysql-1.27.4-1.mga6
mediawiki-pgsql-1.27.4-1.mga6
mediawiki-sqlite-1.27.4-1.mga6

from mediawiki-1.27.4-1.mga6.src.rpm

Summary: MediaWiki Security release: 1.29.2 / 1.28.3 / 1.27.4 => mediawiki new security issues fixed upstream in 1.27.4
Assignee: luigiwalser => qa-bugs
Keywords: (none) => has_procedure

Testing M6/64

BEFORE update: mediawiki-1.27.3-2.mga6, mediawiki-pgsql-1.27.3-2.mga6
Following https://wiki.mageia.org/en/QA_procedure:Mediawiki I installed the packages and followed the setup as far as "Modify the starting page" which entailed logging in & editing.

AFTER update: mediawiki-1.27.4-1.mga6, mediawiki-pgsql-1.27.4-1.mga6
Added a new page, edited it, logged in & out, searched. Short of adding an image (I was unsure about the Help info, which I searched) this seems to work OK. A surfeit of updates precludes perusing the individual CVEs for potential PoCs.

OKing, validating.

CC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0429.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED