MediaWiki has released security updates that fixes nine security issues in core and one related issue in the vendor folder.
Whiteboard: (none) => MGA6TOO
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html * (T128209) Reflected File Download from api.php. Reported by Abdullah Hussam. (CVE-2017-8809) * (T165846) BotPasswords doesn't throttle login attempts. * (T134100) On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password. (CVE-2017-8810) * (T178451) XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping. (CVE-2017-8808) * (T176247) It's possible to mangle HTML via raw message parameter expansion.(CVE-2017-8811) * (T125163) id attribute on headlines allow raw >. (CVE-2017-8812) * (T124404) language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition. (CVE-2017-8814) * (T119158) Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815)
CVE: (none) => CVE-2017-8808, CVE-2017-8809, CVE-2017-8810, CVE-2017-8811, CVE-2017-8812, CVE-2017-8814, CVE-2017-8815
Assignee: bugsquad => luigiwalser
Created attachment 9794 [details] mgarepo update MediaWiki to 1.27.4
Version: Cauldron => 6CC: (none) => shlomifWhiteboard: MGA6TOO => (none)
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping (CVE-2017-8808). Reflected File Download from api.php (CVE-2017-8809). On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password (CVE-2017-8810). It's possible to mangle HTML via raw message parameter expansion (CVE-2017-8811). The id attribute on headlines allow raw > (CVE-2017-8812). Language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814). Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815). composer.json has require-dev versions of PHPUnit with known security issues (CVE-2017-9841). Note that MediaWiki 1.23.x on Mageia 5 is no longer supported. Those using the mediawiki package on Mageia 5 should upgrade to Mageia 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841 https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.27.4-1.mga6 mediawiki-mysql-1.27.4-1.mga6 mediawiki-pgsql-1.27.4-1.mga6 mediawiki-sqlite-1.27.4-1.mga6 from mediawiki-1.27.4-1.mga6.src.rpm
Summary: MediaWiki Security release: 1.29.2 / 1.28.3 / 1.27.4 => mediawiki new security issues fixed upstream in 1.27.4Assignee: luigiwalser => qa-bugsKeywords: (none) => has_procedure
Testing M6/64 BEFORE update: mediawiki-1.27.3-2.mga6, mediawiki-pgsql-1.27.3-2.mga6 Following https://wiki.mageia.org/en/QA_procedure:Mediawiki I installed the packages and followed the setup as far as "Modify the starting page" which entailed logging in & editing. AFTER update: mediawiki-1.27.4-1.mga6, mediawiki-pgsql-1.27.4-1.mga6 Added a new page, edited it, logged in & out, searched. Short of adding an image (I was unsure about the Help info, which I searched) this seems to work OK. A surfeit of updates precludes perusing the individual CVEs for potential PoCs. OKing, validating.
CC: (none) => lewyssmith, sysadmin-bugsKeywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0429.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED