Upstream has announced versions 1.31.9 and 1.31.10 on September 24: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000262.html They fix several security issues. Debian has issued an advisory for this on September 25: https://www.debian.org/security/2020/dsa-4767 Updated packages uploaded for Mageia 7 and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: Multiple security issues were discovered in MediaWiki: SpecialUserRights could leak whether a user existed or not, multiple code paths lacked HTML sanitisation allowing for cross-site scripting and TOTP validation applied insufficient rate limiting against brute force attempts (CVE-2020-25812, CVE-2020-25813, CVE-2020-25814, CVE-2020-25815, CVE-2020-25827, CVE-2020-25828). Possible issues with actors not being loaded from the correct database or wiki (CVE-2020-25869). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25812 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25814 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25815 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25827 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25828 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25869 https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000262.html https://www.debian.org/security/2020/dsa-4767 ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.31.10-1.mga7 mediawiki-mysql-1.31.10-1.mga7 mediawiki-pgsql-1.31.10-1.mga7 mediawiki-sqlite-1.31.10-1.mga7 from mediawiki-1.31.10-1.mga7.src.rpm
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki
Keywords: (none) => has_procedure
MGA7-64 Plasma on Lenovo B50 No installation issues. Followed wiki using mysql, worked OK. Changed first page and added (see trick from bug 26921: create a new page by searching for itsnt yet existing name), then inserted link to it in main page. All works OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validated update, adv and packages in Description.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
Validated update, adv and packages in Comment 0.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0381.html
Status: NEW => RESOLVEDResolution: (none) => FIXED