Upstream has announced version 1.35.7 on June 30: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/ It fixes several security issues. Updated packages uploaded for Mageia 8 and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: Username is not escaped in the "welcomeuser" message (T308471). Bundled guzzlehttp/guzzle has been updated to 6.5.8, fixing several issues (CVE-2022-29248, CVE-2022-31042, CVE-2022-31043, CVE-2022-31090, CVE-2022-31091). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091 https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3 https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/ ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.35.6-1.mga8 mediawiki-mysql-1.35.6-1.mga8 mediawiki-pgsql-1.35.6-1.mga8 mediawiki-sqlite-1.35.6-1.mga8 from mediawiki-1.35.6-1.mga8.src.rpm
Fedora has issued an advisory for this on September 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/ There's a CVE for the issue that didn't have one in the initial announcement. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: An issue was discovered in MediaWiki before 1.35.7. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text() (CVE-2022-34911). Bundled guzzlehttp/guzzle has been updated to 6.5.8, fixing several issues (CVE-2022-29248, CVE-2022-31042, CVE-2022-31043, CVE-2022-31090, CVE-2022-31091). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34911 https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3 https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/
MGA8-64 Plasma on Acer Aspire 5253 No installation issues. Made sure mysqld and httpd are running, then follow wiki deleting previous test wiki and files in /var/www and /etc. Then install the updates and run the setup as per wiki. Make first new page as per bug 25986. All works OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0338.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED