Bug 29190 - Update request: mediawiki-1.35.3-1.1.mga8 / mediawiki-1.31.15-1.mga7 (fixes CVE-2021-35197)
Summary: Update request: mediawiki-1.35.3-1.1.mga8 / mediawiki-1.31.15-1.mga7 (fixes C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO, MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-06-29 21:54 CEST by Thomas Backlund
Modified: 2021-10-13 15:48 CEST (History)
4 users (show)

See Also:
Source RPM: mediawiki
CVE: CVE-2021-35197
Status comment:


Attachments

Description Thomas Backlund 2021-06-29 21:54:24 CEST
Security fix + some bugfixes:
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/


SRPM:
mediawiki-1.35.3-1.mga8.src.rpm

i586:
mediawiki-1.35.3-1.mga8.noarch.rpm
mediawiki-mysql-1.35.3-1.mga8.noarch.rpm
mediawiki-pgsql-1.35.3-1.mga8.noarch.rpm
mediawiki-sqlite-1.35.3-1.mga8.noarch.rpm

x86_64:
mediawiki-1.35.3-1.mga8.noarch.rpm
mediawiki-mysql-1.35.3-1.mga8.noarch.rpm
mediawiki-pgsql-1.35.3-1.mga8.noarch.rpm
mediawiki-sqlite-1.35.3-1.mga8.noarch.rpm
Comment 1 Thomas Backlund 2021-06-29 21:56:57 CEST
Mga 7 rpms, already in use on infra:

SRPM:
mediawiki-1.31.15-1.mga7.src.rpm

i586:
mediawiki-1.31.15-1.mga7.noarch.rpm
mediawiki-mysql-1.31.15-1.mga7.noarch.rpm
mediawiki-pgsql-1.31.15-1.mga7.noarch.rpm
mediawiki-sqlite-1.31.15-1.mga7.noarch.rpm

x86_64:
mediawiki-1.31.15-1.mga7.noarch.rpm
mediawiki-mysql-1.31.15-1.mga7.noarch.rpm
mediawiki-pgsql-1.31.15-1.mga7.noarch.rpm
mediawiki-sqlite-1.31.15-1.mga7.noarch.rpm

Whiteboard: (none) => MGA7TOO, MGA7-64-OK
CVE: (none) => CVE-2021-35197

Thomas Backlund 2021-06-29 22:06:31 CEST

Summary: Update request: mediawiki-1.35.3-1.mga8 => Update request: mediawiki-1.35.3-1.mga8 / mediawiki-1.31.15-1.mga7

Comment 2 Aurelien Oudelet 2021-07-10 20:50:48 CEST
Advisory:
========================

Updated mediawiki packages fix security vulnerability:

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented) (CVE-2021-35197).

The mediawiki packages are upgraded to latest version for their branches.
See upstream release notes for other bugfixes.

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29190
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35197
 - https://www.mediawiki.org/wiki/Release_notes/1.35#MediaWiki_1.35.3
 - https://www.mediawiki.org/wiki/MediaWiki_1.31
========================

Updated packages in core/updates_testing:
========================
SRPM:
mediawiki-1.35.3-1.mga8.src.rpm

i586:
mediawiki-1.35.3-1.mga8.noarch.rpm
mediawiki-mysql-1.35.3-1.mga8.noarch.rpm
mediawiki-pgsql-1.35.3-1.mga8.noarch.rpm
mediawiki-sqlite-1.35.3-1.mga8.noarch.rpm

x86_64:
mediawiki-1.35.3-1.mga8.noarch.rpm
mediawiki-mysql-1.35.3-1.mga8.noarch.rpm
mediawiki-pgsql-1.35.3-1.mga8.noarch.rpm
mediawiki-sqlite-1.35.3-1.mga8.noarch.rpm

SRPM:
mediawiki-1.31.15-1.mga7.src.rpm

i586:
mediawiki-1.31.15-1.mga7.noarch.rpm
mediawiki-mysql-1.31.15-1.mga7.noarch.rpm
mediawiki-pgsql-1.31.15-1.mga7.noarch.rpm
mediawiki-sqlite-1.31.15-1.mga7.noarch.rpm

x86_64:
mediawiki-1.31.15-1.mga7.noarch.rpm
mediawiki-mysql-1.31.15-1.mga7.noarch.rpm
mediawiki-pgsql-1.31.15-1.mga7.noarch.rpm
mediawiki-sqlite-1.31.15-1.mga7.noarch.rpm

CC: (none) => ouaurelien

Comment 3 Herman Viaene 2021-07-12 14:18:43 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
Made sure httpd and mysqld are running and phpmyadmin is installed.
Follow wiki, but at first start of mediawiki to do the onfiguration, I get:
MediaWiki 1.35 internal error
Installing some PHP extensions is required.
Required components
You are missing a required extension to PHP that MediaWiki requires to run. Please install:
    ctype (more information)
Checked and found the the package php-ctype was not installed, so had MCC to install it. Is that a missed dependency ????
Then restart httpd and now click the link "setup the wiki first" and get a screeen full:

MediaWiki internal error.

Original exception: [YOwyKeM57FhZ4PagnM4i_QAAAAM] /mediawiki/mw-config/index.php Error from line 689 of /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php: Class "DOMDocument" not found
Backtrace:
#0 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(669): LocalisationCache->loadPluralFile()
#1 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(642): LocalisationCache->loadPluralFiles()
#2 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(735): LocalisationCache->getPluralRules()
#3 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(861): LocalisationCache->readSourceFilesAndRegisterDeps()
#4 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(497): LocalisationCache->recache()
#5 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(371): LocalisationCache->initLanguage()
#6 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(312): LocalisationCache->loadItem()
#7 /usr/share/mediawiki/includes/language/LanguageFallback.php(106): LocalisationCache->getItem()
#8 /usr/share/mediawiki/includes/language/LanguageFactory.php(175): MediaWiki\Languages\LanguageFallback->getAll()
#9 /usr/share/mediawiki/includes/language/LanguageFactory.php(121): MediaWiki\Languages\LanguageFactory->newFromCode()
#10 /usr/share/mediawiki/includes/installer/WebInstaller.php(507): MediaWiki\Languages\LanguageFactory->getLanguage()
#11 /usr/share/mediawiki/includes/installer/WebInstaller.php(167): WebInstaller->setupLanguage()
#12 /usr/share/mediawiki/mw-config/index.php(82): WebInstaller->execute()
#13 /usr/share/mediawiki/mw-config/index.php(40): wfInstallerMain()
#14 {main}

Exception caught inside exception handler: [YOwyKeM57FhZ4PagnM4i_QAAAAM] /mediawiki/mw-config/index.php Error from line 689 of /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php: Class "DOMDocument" not found
Backtrace:
#0 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(669): LocalisationCache->loadPluralFile()
#1 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(642): LocalisationCache->loadPluralFiles()
#2 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(735): LocalisationCache->getPluralRules()
#3 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(861): LocalisationCache->readSourceFilesAndRegisterDeps()
#4 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(497): LocalisationCache->recache()
#5 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(414): LocalisationCache->initLanguage()
#6 /usr/share/mediawiki/includes/cache/localisation/LocalisationCache.php(333): LocalisationCache->loadSubitem()
#7 /usr/share/mediawiki/languages/Language.php(2645): LocalisationCache->getSubitem()
#8 /usr/share/mediawiki/includes/cache/MessageCache.php(1047): Language->getMessage()
#9 /usr/share/mediawiki/includes/cache/MessageCache.php(1005): MessageCache->getMessageForLang()
#10 /usr/share/mediawiki/includes/cache/MessageCache.php(947): MessageCache->getMessageFromFallbackChain()
#11 /usr/share/mediawiki/includes/language/Message.php(1304): MessageCache->get()
#12 /usr/share/mediawiki/includes/language/Message.php(862): Message->fetchMessage()
#13 /usr/share/mediawiki/includes/language/Message.php(954): Message->toString()
#14 /usr/share/mediawiki/includes/exception/MWExceptionRenderer.php(221): Message->text()
#15 /usr/share/mediawiki/includes/exception/MWExceptionRenderer.php(156): MWExceptionRenderer::msg()
#16 /usr/share/mediawiki/includes/exception/MWExceptionRenderer.php(65): MWExceptionRenderer::reportHTML()
#17 /usr/share/mediawiki/includes/exception/MWExceptionHandler.php(106): MWExceptionRenderer::output()
#18 /usr/share/mediawiki/includes/exception/MWExceptionHandler.php(185): MWExceptionHandler::report()
#19 /usr/share/mediawiki/includes/exception/MWExceptionHandler.php(156): MWExceptionHandler::handleException()
#20 [internal function]: MWExceptionHandler::handleUncaughtException()
#21 {main}
Just note that  this is a Dutch installation, there is something wrong in that area????

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2021-07-12 14:27:12 CEST
Changing in MCC - System the language to English (this is always installed by default?), logging out and back in, does not make any diffeence for this error
Comment 5 Herman Viaene 2021-07-12 14:28:10 CEST
In fact, the whole system is still in Dutch
Comment 6 Herman Viaene 2021-07-12 14:29:54 CEST
Correction MCC is now in English, but the whole Plasma is still Dutch
Comment 7 Thomas Backlund 2021-07-12 15:05:31 CEST
the other missing package is "php-dom"

I've submitted a:  mediawiki-1.35.3-1.1.mga8

that adds requires on php-ctype and php-dom
Comment 8 Herman Viaene 2021-07-12 16:42:44 CEST
Once this php-dom is installed, the mediawiki gets created as per the wiki.
So Thoams, what next??? OK this update (and let the M7 go thru, or doit again with the new version youjust created??
Comment 9 Thomas Backlund 2021-07-12 16:54:17 CEST
We'll OK, and push that  mediawiki-1.35.3-1.1.mga8 as the only thing changed from the one you tested is the added requires:
http://svnweb.mageia.org/packages/updates/8/mediawiki/current/SPECS/mediawiki.spec?r1=1734343&r2=1735719&pathrev=1735720
Comment 10 Dave Hodgins 2021-07-12 18:40:57 CEST
The m7 update should go ahead despite the missing requires as those
who are using it likely had them installed due to other packages such as
task-lamp. The missing requires are not regressions.

As for m8, the new package needs a quick test before validating, to ensure
it doesn't have some problem such as an unsigned rpm.

CC: (none) => davidwhodgins
Whiteboard: MGA7TOO, MGA7-64-OK => MGA7TOO, MGA7-64-OK

Comment 11 Thomas Backlund 2021-07-12 19:07:25 CEST
yeah, 
I already that mediawiki-1.35.3-1.1.mga8 correctly pulled in php-ctype and php-dom (after first removing all mediawiki packages and the php packages)
Comment 12 Thomas Backlund 2021-07-12 19:09:19 CEST
... already *tested* ...
Comment 13 Dave Hodgins 2021-07-12 20:33:38 CEST
Thanks. Validating the update.

Whiteboard: MGA7TOO, MGA7-64-OK => MGA7TOO, MGA7-64-OK MGA8-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 14 Aurelien Oudelet 2021-07-12 20:34:45 CEST
(In reply to Thomas Backlund from comment #11)
> yeah, 
> I already that mediawiki-1.35.3-1.1.mga8 correctly pulled in php-ctype and
> php-dom (after first removing all mediawiki packages and the php packages)

(In reply to Thomas Backlund from comment #12)
> ... already *tested* ...

MGA8-OK-64.
Validating.

Keywords: (none) => advisory
Whiteboard: MGA7TOO, MGA7-64-OK MGA8-64-OK => MGA7TOO, MGA7-64-OK MGA8-64-OK
Summary: Update request: mediawiki-1.35.3-1.mga8 / mediawiki-1.31.15-1.mga7 => Update request: mediawiki-1.35.3-1.1.mga8 / mediawiki-1.31.15-1.mga7

Comment 15 Mageia Robot 2021-07-12 22:27:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0346.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 16 David Walser 2021-10-13 15:48:01 CEST
Fedora has issued an advisory for this on October 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/

Summary: Update request: mediawiki-1.35.3-1.1.mga8 / mediawiki-1.31.15-1.mga7 => Update request: mediawiki-1.35.3-1.1.mga8 / mediawiki-1.31.15-1.mga7 (fixes CVE-2021-35197)


Note You need to log in before you can comment on or make changes to this bug.