Bug 25273 - mediawiki new security issues fixed upstream in 1.27.6 and 1.31.2
Summary: mediawiki new security issues fixed upstream in 1.27.6 and 1.31.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-11 22:19 CEST by David Walser
Modified: 2019-09-15 16:46 CEST (History)
4 users (show)

See Also:
Source RPM: mediawiki-1.31.1-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-11 22:19:51 CEST
Upstream has announced versions 1.27.6 and 1.31.2 on June 6:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html

They fix several security issues.

They were followed bugfix releases 1.27.7 and 1.31.3 on June 7 and July 2:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000232.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-July/000234.html

Debian has issued an advisory for this on June 12:
https://www.debian.org/security/2019/dsa-4460
David Walser 2019-08-11 22:19:59 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-11 22:33:50 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing our sysadmin team, in case https://wiki.mageia.org/ is affected by one or more of those security issues

CC: (none) => marja11, sysadmin-bugs
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-08-12 02:26:33 CEST
Updated packages uploaded for Mageia 6, Mageia 7, and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Potential XSS in jQuery (CVE-2019-11358).

An account can be logged out without using a token (CSRF) (CVE-2019-12466).

A spammer can use Special:ChangeEmail to send out spam with no rate limiting
or ability to block them (CVE-2019-12467).

Directly POSTing to Special:ChangeEmail would allow for bypassing
reauthentication, allowing for potential account takeover (CVE-2019-12468).

Exposed suppressed username or log in Special:EditTags (CVE-2019-12469).

Exposed suppressed log in RevisionDelete page (CVE-2019-12470).

Loading user JavaScript from a non-existent account allows anyone to create
the account, and XSS the users' loading that script (CVE-2019-12471).

It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`)
by using the API (CVE-2019-12472).

Passing invalid titles to the API could cause a DoS by querying the entire
`watchlist` table (CVE-2019-12473).

Privileged API responses that include whether a recent change has been
patrolled may be cached publicly (CVE-2019-12474).

The mediawiki package has been updated to version 1.27.6 (Mageia 6) and 1.31.2
(Mageia 7), fixing these issues and other bugs.  See the release announcements
for more details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12466
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12467
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12474
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000232.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-July/000234.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.27.7-1.mga6
mediawiki-mysql-1.27.7-1.mga6
mediawiki-pgsql-1.27.7-1.mga6
mediawiki-sqlite-1.27.7-1.mga6
mediawiki-1.31.3-1.mga7
mediawiki-mysql-1.31.3-1.mga7
mediawiki-pgsql-1.31.3-1.mga7
mediawiki-sqlite-1.31.3-1.mga7

from SRPMS:
mediawiki-1.27.7-1.mga6.src.rpm
mediawiki-1.31.3-1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Version: Cauldron => 7

Comment 3 Thomas Backlund 2019-09-07 00:39:27 CEST
Installed on Mageia infra, seems to work ok

CC: (none) => tmb
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

Comment 4 Herman Viaene 2019-09-15 10:13:38 CEST
MGA7-64 Plasma on Lenobo B50
No installation issues.
Followed instructions as per https://wiki.mageia.org/en/QA_procedure:Mediawiki , completely up to accessing a new wiki using mysql rather then postgres.
All OK.

CC: (none) => herman.viaene
Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Thomas Backlund 2019-09-15 15:45:51 CEST

Keywords: (none) => advisory, validated_update

Comment 5 Mageia Robot 2019-09-15 16:46:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0279.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.