30873 – dokuwiki new security issue CVE-2022-3123

Bug 30873 - dokuwiki new security issue CVE-2022-3123

Summary: dokuwiki new security issue CVE-2022-3123

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-09-20 14:23 CEST by David Walser
Modified:	2022-10-19 01:16 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	dokuwiki-20201204-0.20201204.1.dev.gitf2a13d8.mga9.src.rpm
CVE:	CVE-2022-3123
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-20 14:23:01 CEST

Fedora has issued an advisory today (September 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LLNV7GYZPGLIKBLISVQUREQXE3WHI5R2/

The issue is fixed upstream in 2022-07-31a:
https://www.dokuwiki.org/changes#release_2022-07-31a_igor

Mageia 8 is also affected.

David Walser 2022-09-20 14:24:11 CEST

Status comment: (none) => Fixed upstream in 2022-07-31a
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2022-09-20 17:36:02 CEST

Assigning to our registered dokuwiki maintainer.

Assignee: bugsquad => joequant
CC: (none) => marja11

Comment 2 Nicolas Salguero 2022-10-11 14:45:54 CEST

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. (CVE-2022-3123)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3123
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LLNV7GYZPGLIKBLISVQUREQXE3WHI5R2/
https://www.dokuwiki.org/changes#release_2022-07-31a_igor
========================

Updated package in core/updates_testing:
========================
dokuwiki-20220731-1.mga8

from SRPM:
dokuwiki-20220731-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 2022-07-31a => (none)
Assignee: joequant => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-3123

Comment 3 Herman Viaene 2022-10-15 11:44:04 CEST

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Made sure httpd is running.
Followed editing /etc/httpd/conf/httpd.conf as described in bug 20431 Comment 2, restarted httpd and pointed to  http://localhost/dokuwiki
and this brings up a startpage Dokuwiki mentioning
"This topic does not exist yet

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”."
Did that, just entered some nonsense text into it, closed the page and reopened the page, the text was there OK

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-10-15 16:02:42 CEST

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-18 23:27:14 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-10-19 01:16:19 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0372.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.