Bug 30837 - mediawiki new security issues fixed upstream in 1.35.7
Summary: mediawiki new security issues fixed upstream in 1.35.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-09 19:55 CEST by David Walser
Modified: 2022-09-16 21:41 CEST (History)
4 users (show)

See Also:
Source RPM: mediawiki-1.35.6-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-09 19:55:54 CEST 
Upstream has announced version 1.35.7 on June 30:
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/

It fixes several security issues.

Updated packages uploaded for Mageia 8 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Username is not escaped in the "welcomeuser" message (T308471).

Bundled guzzlehttp/guzzle has been updated to 6.5.8, fixing several issues
(CVE-2022-29248, CVE-2022-31042, CVE-2022-31043, CVE-2022-31090,
CVE-2022-31091).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.35.6-1.mga8
mediawiki-mysql-1.35.6-1.mga8
mediawiki-pgsql-1.35.6-1.mga8
mediawiki-sqlite-1.35.6-1.mga8

from mediawiki-1.35.6-1.mga8.src.rpm
Comment 1 David Walser 2022-09-13 23:42:55 CEST 
Fedora has issued an advisory for this on September 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/

There's a CVE for the issue that didn't have one in the initial announcement.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

An issue was discovered in MediaWiki before 1.35.7. XSS can occur in
configurations that allow a JavaScript payload in a username. After account
creation, when it sets the page title to "Welcome" followed by the username,
the username is not escaped: SpecialCreateAccount::successfulAction() calls
::showSuccessPage() with a message as second parameter, and
OutputPage::setPageTitle() uses text() (CVE-2022-34911).

Bundled guzzlehttp/guzzle has been updated to 6.5.8, fixing several issues
(CVE-2022-29248, CVE-2022-31042, CVE-2022-31043, CVE-2022-31090,
CVE-2022-31091).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34911
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/
Comment 2 Herman Viaene 2022-09-15 10:08:48 CEST 
MGA8-64  Plasma on Acer Aspire 5253
No installation issues.
Made sure mysqld and httpd are running, then follow wiki deleting previous test wiki and files in /var/www and /etc.
Then install the updates and run the setup as per wiki.
Make first new page as per bug 25986.
All works OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2022-09-16 02:52:59 CEST 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-09-16 20:11:59 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-09-16 21:41:59 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0338.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.