Bug 27331 - mediawiki new security issues fixed upstream in 1.31.10
Summary: mediawiki new security issues fixed upstream in 1.31.10
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2020-09-26 20:25 CEST by David Walser
Modified: 2020-09-30 12:03 CEST (History)
3 users (show)

See Also:
Source RPM: mediawiki-1.31.8-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-09-26 20:25:29 CEST 
Upstream has announced versions 1.31.9 and 1.31.10 on September 24:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000262.html

They fix several security issues.

Debian has issued an advisory for this on September 25:
https://www.debian.org/security/2020/dsa-4767

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Multiple security issues were discovered in MediaWiki: SpecialUserRights could
leak whether a user existed or not, multiple code paths lacked HTML
sanitisation allowing for cross-site scripting and TOTP validation applied
insufficient rate limiting against brute force attempts (CVE-2020-25812,
CVE-2020-25813, CVE-2020-25814, CVE-2020-25815, CVE-2020-25827,
CVE-2020-25828).

Possible issues with actors not being loaded from the correct database or wiki
(CVE-2020-25869).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25815
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25869
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000262.html
https://www.debian.org/security/2020/dsa-4767
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.31.10-1.mga7
mediawiki-mysql-1.31.10-1.mga7
mediawiki-pgsql-1.31.10-1.mga7
mediawiki-sqlite-1.31.10-1.mga7

from mediawiki-1.31.10-1.mga7.src.rpm
Comment 1 David Walser 2020-09-26 20:25:45 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2020-09-28 16:47:30 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed wiki using mysql, worked OK.
Changed first page and added (see trick from bug 26921: create a new page by searching for itsnt yet existing name), then inserted link to it in main page.
All works OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 3 Aurelien Oudelet 2020-09-29 15:29:02 CEST 
Validated update, adv and packages in Description.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 4 Aurelien Oudelet 2020-09-29 15:39:36 CEST 
Validated update, adv and packages in Comment 0.
Comment 5 Mageia Robot 2020-09-30 12:03:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0381.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.