Upstream has announced versions 1.27.6 and 1.31.2 on June 6: https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html They fix several security issues. They were followed bugfix releases 1.27.7 and 1.31.3 on June 7 and July 2: https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000232.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-July/000234.html Debian has issued an advisory for this on June 12: https://www.debian.org/security/2019/dsa-4460
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing our sysadmin team, in case https://wiki.mageia.org/ is affected by one or more of those security issues
CC: (none) => marja11, sysadmin-bugsAssignee: bugsquad => pkg-bugs
Updated packages uploaded for Mageia 6, Mageia 7, and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: Potential XSS in jQuery (CVE-2019-11358). An account can be logged out without using a token (CSRF) (CVE-2019-12466). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them (CVE-2019-12467). Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover (CVE-2019-12468). Exposed suppressed username or log in Special:EditTags (CVE-2019-12469). Exposed suppressed log in RevisionDelete page (CVE-2019-12470). Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script (CVE-2019-12471). It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API (CVE-2019-12472). Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table (CVE-2019-12473). Privileged API responses that include whether a recent change has been patrolled may be cached publicly (CVE-2019-12474). The mediawiki package has been updated to version 1.27.6 (Mageia 6) and 1.31.2 (Mageia 7), fixing these issues and other bugs. See the release announcements for more details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12466 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12467 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12468 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12469 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12470 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12472 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12473 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12474 https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000232.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-July/000234.html ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.27.7-1.mga6 mediawiki-mysql-1.27.7-1.mga6 mediawiki-pgsql-1.27.7-1.mga6 mediawiki-sqlite-1.27.7-1.mga6 mediawiki-1.31.3-1.mga7 mediawiki-mysql-1.31.3-1.mga7 mediawiki-pgsql-1.31.3-1.mga7 mediawiki-sqlite-1.31.3-1.mga7 from SRPMS: mediawiki-1.27.7-1.mga6.src.rpm mediawiki-1.31.3-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO, MGA6TOO => MGA6TOOVersion: Cauldron => 7
Installed on Mageia infra, seems to work ok
CC: (none) => tmbWhiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
MGA7-64 Plasma on Lenobo B50 No installation issues. Followed instructions as per https://wiki.mageia.org/en/QA_procedure:Mediawiki , completely up to accessing a new wiki using mysql rather then postgres. All OK.
CC: (none) => herman.viaeneWhiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0279.html
Status: NEW => RESOLVEDResolution: (none) => FIXED