Bug 25273 - mediawiki new security issues fixed upstream in 1.27.6 and 1.31.2
Summary: mediawiki new security issues fixed upstream in 1.27.6 and 1.31.2
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-11 22:19 CEST by David Walser
Modified: 2019-08-12 02:26 CEST (History)
2 users (show)

See Also:
Source RPM: mediawiki-1.31.1-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-11 22:19:51 CEST
Upstream has announced versions 1.27.6 and 1.31.2 on June 6:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html

They fix several security issues.

They were followed bugfix releases 1.27.7 and 1.31.3 on June 7 and July 2:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000232.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-July/000234.html

Debian has issued an advisory for this on June 12:
https://www.debian.org/security/2019/dsa-4460
David Walser 2019-08-11 22:19:59 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-11 22:33:50 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing our sysadmin team, in case https://wiki.mageia.org/ is affected by one or more of those security issues

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, sysadmin-bugs

Comment 2 David Walser 2019-08-12 02:26:33 CEST
Updated packages uploaded for Mageia 6, Mageia 7, and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Potential XSS in jQuery (CVE-2019-11358).

An account can be logged out without using a token (CSRF) (CVE-2019-12466).

A spammer can use Special:ChangeEmail to send out spam with no rate limiting
or ability to block them (CVE-2019-12467).

Directly POSTing to Special:ChangeEmail would allow for bypassing
reauthentication, allowing for potential account takeover (CVE-2019-12468).

Exposed suppressed username or log in Special:EditTags (CVE-2019-12469).

Exposed suppressed log in RevisionDelete page (CVE-2019-12470).

Loading user JavaScript from a non-existent account allows anyone to create
the account, and XSS the users' loading that script (CVE-2019-12471).

It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`)
by using the API (CVE-2019-12472).

Passing invalid titles to the API could cause a DoS by querying the entire
`watchlist` table (CVE-2019-12473).

Privileged API responses that include whether a recent change has been
patrolled may be cached publicly (CVE-2019-12474).

The mediawiki package has been updated to version 1.27.6 (Mageia 6) and 1.31.2
(Mageia 7), fixing these issues and other bugs.  See the release announcements
for more details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12466
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12467
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12474
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000232.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-July/000234.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.27.7-1.mga6
mediawiki-mysql-1.27.7-1.mga6
mediawiki-pgsql-1.27.7-1.mga6
mediawiki-sqlite-1.27.7-1.mga6
mediawiki-1.31.3-1.mga7
mediawiki-mysql-1.31.3-1.mga7
mediawiki-pgsql-1.31.3-1.mga7
mediawiki-sqlite-1.31.3-1.mga7

from SRPMS:
mediawiki-1.27.7-1.mga6.src.rpm
mediawiki-1.31.3-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Assignee: pkg-bugs => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.