Bug 24303 - dokuwiki new version 20180422b fixes security issue with ACLs
Summary: dokuwiki new version 20180422b fixes security issue with ACLs
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Stig-Ørjan Smelror
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-03 00:16 CET by David Walser
Modified: 2019-08-17 21:44 CEST (History)
8 users (show)

See Also:
Source RPM: dokuwiki-20180422a-2.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 20180422b


Attachments

Description David Walser 2019-02-03 00:16:47 CET
See:
https://www.dokuwiki.org/changes
https://github.com/splitbrain/dokuwiki/pull/2609

Mageia 6 is also affected.
David Walser 2019-02-03 00:16:53 CET

Whiteboard: (none) => MGA6TOO

David Walser 2019-02-03 02:48:50 CET

Status comment: (none) => Fixed upstream in 20180422b

Comment 1 Marja Van Waes 2019-02-03 08:43:32 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing two committers.

CC: (none) => joequant, marja11, ngompa13
Assignee: bugsquad => pkg-bugs

Comment 2 Stig-Ørjan Smelror 2019-02-17 23:38:01 CET
Version 20180422b pushed to Cauldron.

Whiteboard: MGA6TOO => (none)
CC: (none) => smelror
Assignee: pkg-bugs => smelror
Version: Cauldron => 6

Comment 3 Stig-Ørjan Smelror 2019-02-18 10:22:40 CET
Advisory
========

Dokuwiki has been updated to fix a security issue regarding ACL that causes serious security issues in plugins that rely on this ACL check in search_allpages like the include plugin.

References
==========
https://www.dokuwiki.org/changes
https://github.com/splitbrain/dokuwiki/pull/2609

Files
=====

Uploaded to core/updates_testing:

dokuwiki-20180422b-1.1.mga6

from dokuwiki-20180422b-1.1.mga6.src.rpm

Assignee: smelror => qa-bugs

Comment 4 Herman Viaene 2019-02-19 14:21:12 CET
MGA6-32 MATE on IBM Thinkpad R50e
Installation: I had to downgrade apache first because of the issues with the current update.
Then when I try to install dokuwiki I get:
"Sorry, the following package can not be  selected:
dokuwiki-20180422b-1.1.mga6.noarch (because of unfulfilled pear(other/ide_stubs/libsodium.php))"

CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-02-28 22:37:50 CET
MGA6-64 Plasma on Athlon X2 7750, Nvidia340 graphics.

Installed dokuwiki-20170219-4.1, which pulled in several Apache and php 7 packages, all of which installed cleanly.

But, when I used qarepo to get the dokuwiki update and tried to install, I got the same error message that Herman got on his 32-bit system.

CC: (none) => andrewsfarm

Comment 6 Stig-Ørjan Smelror 2019-02-28 22:41:08 CET
Thanks TJ.

I had forgotten about this error. Have asked for assistance and will push an update once it's been fixed.

Cheers,
Stig
Comment 7 Brian Rockwell 2019-08-17 21:41:39 CEST
A news on this 6 month old fix?

CC: (none) => brtians1

Comment 8 David Walser 2019-08-17 21:44:14 CEST
We should have at least had a feedback tag on this.  Whoops.

CC: (none) => qa-bugs
Assignee: qa-bugs => smelror


Note You need to log in before you can comment on or make changes to this bug.