Bug 30943 - mediawiki new security issues fixed upstream in 1.35.8
Summary: mediawiki new security issues fixed upstream in 1.35.8
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-10-06 14:28 CEST by David Walser
Modified: 2022-10-13 22:06 CEST (History)
3 users (show)

See Also:
Source RPM: mediawiki-1.35.7-1.mga8.src.rpm
Status comment:


Description David Walser 2022-10-06 14:28:27 CEST
Upstream has announced version 1.35.8 on September 29:

It fixes several security issues.

Updated packages uploaded for Mageia 8 and Cauldron.


Updated mediawiki packages fix security vulnerabilities:

HTMLUserTextField exposes existence of hidden users (CVE-2022-41765).

reassignEdits doesn't update results in an IP range check on
Special:Contributions (CVE-2022-41767).


Updated packages in core/updates_testing:

from mediawiki-1.35.8-1.mga8.src.rpm
Comment 1 David Walser 2022-10-06 14:28:54 CEST
Debian has issued an advisory for this on October 4:
Comment 2 Herman Viaene 2022-10-13 15:49:56 CEST
Followed the umpteenth time the wiki, but when pointing to http://localhost/mediawiki/, I get Error 404. And yes both httpd and mysqld are running because I used phpMyadmin to set up database and user.
This laptop did not have mediawiki before.
I just noticed that the /etc/mediawiki folder is empty.

CC: (none) => herman.viaene

Comment 3 Dave Hodgins 2022-10-13 18:36:48 CEST
As root
From release and updates repos, installed mediawiki and php-mysqli selecting
apache, mysql, and required dependencies.

Edited /etc/php.d/05_date.ini and added a line with "date.timezone =America/Toronto"

"systemctl start mysqld.service"
"mysql_secure_installation", set the root password etc

"systemctl start httpd.service"

As regular user "firefox http://localhost/mediawiki"
Clicked on the "set up the wiki" link to http://localhost/mediawiki/mw-config/index.php

Selected mariadb as the db type and provided the root mysql password and chose to use the
same account for installation.

Was reminded of the annoying requirement to use at least 10 characters for the wiki password, so have a different password for logging in to mediawiki.

Downloaded the LocalSettings.php and copied it to /etc/mediawiki
"systemctl restart httpd.service" to pick up the new LocalSettings.php file.

Went to http://localhost/mediawiki/index.php/QaTestB4Update
Logged in, entered some text and a summary, created the page.

Installed the update using qarepo
"systemctl restart httpd.service"

Restarted firefox going back to http://localhost/mediawiki/index.php/QaTestB4Update
Went to http://localhost/mediawiki/index.php/QaTestAfterUpdate and created a new page.

Validating the update.

Herman, please try the above and update any missing or wrong parts in the wiki.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-10-13 21:04:38 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-10-13 22:06:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.