Upstream has announced version 1.31.7 on March 26: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000247.html It fixes one security issue. Debian has issued an advisory for this on April 2: https://www.debian.org/security/2020/dsa-4651 Updated packages uploaded for Mageia 7 and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerability: In MediaWiki before 1.31.7, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS) (CVE-2020-10960). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10960 https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000247.html ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.31.7-1.mga7 mediawiki-mysql-1.31.7-1.mga7 mediawiki-pgsql-1.31.7-1.mga7 mediawiki-sqlite-1.31.7-1.mga7 from mediawiki-1.31.7-1.mga7.src.rpm
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki Also, I changed the ownership of /usr/share/mediawiki/mw-config from what looked to be incorrectly set to apache:apache all these years to be root:root with everything else in /usr/share. Please make sure this doesn't cause any issues, especially with setting up a new installation (though I don't expect it to).
Keywords: (none) => has_procedure
MGA7-64 Plasma on Lenovo B50 No installation issues. Followed QA procedure: # systemctl start httpd # systemctl status -l httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-04-08 13:38:58 CEST; 3s ago Main PID: 4690 (httpd) Status: "Processing requests..." Memory: 34.3M CGroup: /system.slice/httpd.service ├─4690 /usr/sbin/httpd -DFOREGROUND ├─4692 /usr/sbin/httpd -DFOREGROUND ├─4693 /usr/sbin/httpd -DFOREGROUND ├─4696 /usr/sbin/httpd -DFOREGROUND ├─4703 /usr/sbin/httpd -DFOREGROUND ├─4708 /usr/sbin/httpd -DFOREGROUND └─4713 /usr/sbin/httpd -DFOREGROUND Apr 08 13:38:57 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Apr 08 13:38:58 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. # systemctl start mysqld # systemctl status -l mysqld ● mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-04-08 13:39:11 CEST; 10s ago Process: 4749 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS) Main PID: 4763 (mysqld) Status: "Taking your SQL requests now..." Memory: 66.8M CGroup: /system.slice/mysqld.service └─4763 /usr/sbin/mysqld Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB. Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] InnoDB: 10.3.22 started; log sequence numbe> Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] InnoDB: Loading buffer pool(s) from /var/li> Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 200408 13:39:11 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED. Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 200408 13:39:11 server_audit: Query cache is enabled with the TABLE even> Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] Reading of all Master_info entries succeeded Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] Added new Master_info '' to hash table Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: 2020-04-08 13:39:11 0 [Note] /usr/sbin/mysqld: ready for connections. Apr 08 13:39:11 mach5.hviaene.thuis mysqld[4763]: Version: '10.3.22-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 0> Apr 08 13:39:11 mach5.hviaene.thuis systemd[1]: Started MySQL database server. Setup of mediawiki seems OK, checked presence of database with phpmyadmin, looks OK, found records of the pages in the pages table. No problem seen, David.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 0.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0167.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED