Bug 25986 - mediawiki new security issue fixed upstream in 1.31.6
Summary: mediawiki new security issue fixed upstream in 1.31.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-29 05:13 CET by David Walser
Modified: 2020-01-05 16:40 CET (History)
4 users (show)

See Also:
Source RPM: mediawiki-1.31.5-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-12-29 05:13:37 CET
Upstream has announced version 1.31.4 on October 7:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-October/000236.html

It fixes one security issue.

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist
protection mechanism by starting with an arbitrary title, establishing a
non-resolvable redirect for the associated page, and using redirect=1 in the
action API when editing that page (CVE-2019-19709).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19709
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-December/000243.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.31.6-1.mga7
mediawiki-mysql-1.31.6-1.mga7
mediawiki-pgsql-1.31.6-1.mga7
mediawiki-sqlite-1.31.6-1.mga7

from mediawiki-1.31.6-1.mga7.src.rpm
Comment 1 David Walser 2019-12-29 05:13:49 CET
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2020-01-03 16:00:14 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed wiki up o creating a new wiki and a new page in it (trick: there is no "New" button, just type a name in the search box, it will not find it, but then you can create it).
Works OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2020-01-03 19:34:18 CET
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-05 13:48:45 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2020-01-05 16:40:17 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0021.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.