Bug 30873 - dokuwiki new security issue CVE-2022-3123
Summary: dokuwiki new security issue CVE-2022-3123
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-20 14:23 CEST by David Walser
Modified: 2022-10-19 01:16 CEST (History)
6 users (show)

See Also:
Source RPM: dokuwiki-20201204-0.20201204.1.dev.gitf2a13d8.mga9.src.rpm
CVE: CVE-2022-3123
Status comment:


Attachments

Description David Walser 2022-09-20 14:23:01 CEST
Fedora has issued an advisory today (September 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LLNV7GYZPGLIKBLISVQUREQXE3WHI5R2/

The issue is fixed upstream in 2022-07-31a:
https://www.dokuwiki.org/changes#release_2022-07-31a_igor

Mageia 8 is also affected.
David Walser 2022-09-20 14:24:11 CEST

Status comment: (none) => Fixed upstream in 2022-07-31a
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2022-09-20 17:36:02 CEST
Assigning to our registered dokuwiki maintainer.

Assignee: bugsquad => joequant
CC: (none) => marja11

Comment 2 Nicolas Salguero 2022-10-11 14:45:54 CEST
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. (CVE-2022-3123)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3123
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LLNV7GYZPGLIKBLISVQUREQXE3WHI5R2/
https://www.dokuwiki.org/changes#release_2022-07-31a_igor
========================

Updated package in core/updates_testing:
========================
dokuwiki-20220731-1.mga8

from SRPM:
dokuwiki-20220731-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 2022-07-31a => (none)
Assignee: joequant => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-3123

Comment 3 Herman Viaene 2022-10-15 11:44:04 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Made sure httpd is running.
Followed editing /etc/httpd/conf/httpd.conf as described in bug 20431 Comment 2, restarted httpd and pointed to  http://localhost/dokuwiki
and this brings up a startpage Dokuwiki mentioning
"This topic does not exist yet

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”."
Did that, just entered some nonsense text into it, closed the page and reopened the page, the text was there OK

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-10-15 16:02:42 CEST
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-18 23:27:14 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-10-19 01:16:19 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0372.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.