Upstream has announced version 1.35.9 on December 22: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ Fedora has issued an advisory for this today (January 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/ CVE-2022-47927 is the only security issue mentioned by the upstream announcement, and Fedora missed the previous update so we already handled CVE-2022-4176[57] in Bug 30943 (and CVE-2021-4485[4-6] in Bug 29772), but CVE-2023-22909 (T320987) and CVE-2023-22911 (T149488) are also fixed in this update, and CVE-2023-22945 only affected the 1.39 branch.
Updated packages uploaded for Mageia 8 and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: An issue was discovered in MediaWiki before 1.35.9. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data (CVE-2022-47927). An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow (CVE-2023-22909). An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context (CVE-2023-22911). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47927 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22911 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/ ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.35.9-1.mga8 mediawiki-mysql-1.35.9-1.mga8 mediawiki-pgsql-1.35.9-1.mga8 mediawiki-sqlite-1.35.9-1.mga8 from mediawiki-1.35.9-1.mga8.src.rpm
Assignee: bugsquad => qa-bugsSeverity: normal => major
The package installation worked correctly. Other than the issue I reported before at bug 27781, it worked correctly. System: Mageia 8, x86_64. # uname -a Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux # rpm -q mediawiki mediawiki-1.35.9-1.mga8
CC: (none) => mageia
Forgot to mention that its using a sqlite database. # rpm -qa | grep mediawiki mediawiki-1.35.9-1.mga8 mediawiki-sqlite-1.35.9-1.mga8
MGA8-64 MATE on Acer Aspire 5253 No installation issues, deleting /var/www/mediawiki from previous updates before installation Started mysqld and httpd, went to the mediawiki installation page and bumped onto error in the Welocome page - Environmental checks: PHP 8.0.27 is installed. [Y9eVH1MeEC25TDsXhq1xewAAAAY] /mediawiki/mw-config/index.php?page=Welcome Error from line 151 of /usr/share/mediawiki/includes/shell/FirejailCommand.php: Undefined constant "MediaWiki\Shell\MW_CONFIG_FILE"
CC: (none) => herman.viaene
I have again installed this package without issues. Just following the instructions on the following link did the trick. https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Installing_MediaWiki I'm not certain about the issue Herman encountered. I'm using PHP 8.1.16 (the one from the backport repositories) so maybe that makes a difference. It would help to get a better idea if the PHP display_errors in /etc/php.ini was set to "On" to get more detailed error information. # php --version PHP 8.1.16 (cli) (built: Feb 15 2023 13:32:53) (ZTS) Copyright (c) The PHP Group Zend Engine v4.1.16, Copyright (c) Zend Technologies with Zend OPcache v8.1.16, Copyright (c), by Zend Technologies with Xdebug v3.1.1, Copyright (c) 2002-2021, by Derick Rethans
Upstream has announced version 1.35.10 on March 30: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/ Fedora has issued an advisory for this today (April 10): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/ Updated packages uploaded for Mageia 8 and Cauldron (pending freeze move). Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649). An issue was discovered in MediaWiki before 1.35.9. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data (CVE-2022-47927). An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow (CVE-2023-22909). An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context (CVE-2023-22911). An issue was discovered in MediaWiki before 1.35.10. An auto-block can occur for an untrusted X-Forwarded-For header (CVE-2023-29141). OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure Default Configuration (T330086). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36649 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47927 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22911 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29141 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/ ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.35.10-1.mga8 mediawiki-mysql-1.35.10-1.mga8 mediawiki-pgsql-1.35.10-1.mga8 mediawiki-sqlite-1.35.10-1.mga8 from mediawiki-1.35.10-1.mga8.src.rpm
Summary: mediawiki new security issues fixed upstream in 1.35.9 => mediawiki new security issues fixed upstream in 1.35.10
Freeze move has been completed.
Deleted existing database in mysql, deleted the /var/www/mediawiki and /etc/mediawiki, created new database wit phpmyadmin and launched the setup and got stuck at the same error as above: PHP 8.0.28 is installed. [ZEjvDlbwJ0rGu7zoQ81AFgAAAAQ] /mediawiki/mw-config/index.php?page=Welcome Error from line 151 of /usr/share/mediawiki/includes/shell/FirejailCommand.php: Undefined constant "MediaWiki\Shell\MW_CONFIG_FILE"
There haven't been any changes to FirejailCommand.php or any changes referencing MW_CONFIG_FILE in the last two updates.
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Did the installation on a clean M8 setup (see bug 31997) and run thru the setup as described in the wiki using mysql as database. Setup works OK and created a first page.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0204.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED