Upstream has announced version 1.35.9 on December 22:
Fedora has issued an advisory for this today (January 27):
CVE-2022-47927 is the only security issue mentioned by the upstream announcement, and Fedora missed the previous update so we already handled CVE-2022-4176 in Bug 30943 (and CVE-2021-4485[4-6] in Bug 29772), but CVE-2023-22909 (T320987) and CVE-2023-22911 (T149488) are also fixed in this update, and CVE-2023-22945 only affected the 1.39 branch.
Updated packages uploaded for Mageia 8 and Cauldron.
Updated mediawiki packages fix security vulnerabilities:
An issue was discovered in MediaWiki before 1.35.9. When installing with a
pre-existing data directory that has weak permissions, the SQLite files are
created with file mode 0644, i.e., world readable to local users. These files
include credentials data (CVE-2022-47927).
An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory
allows remote attackers to cause a denial of service because database queries
are slow (CVE-2023-22909).
An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget
replacement in HTML attributes, which can lead to XSS, because widget authors
often do not expect that their widget is executed in an HTML attribute
Updated packages in core/updates_testing:
The package installation worked correctly. Other than the issue I reported before at bug 27781, it worked correctly.
System: Mageia 8, x86_64.
# uname -a
Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q mediawiki
Forgot to mention that its using a sqlite database.
# rpm -qa | grep mediawiki
MGA8-64 MATE on Acer Aspire 5253
No installation issues, deleting /var/www/mediawiki from previous updates before installation
Started mysqld and httpd, went to the mediawiki installation page and bumped onto error in the Welocome page - Environmental checks:
PHP 8.0.27 is installed.
[Y9eVH1MeEC25TDsXhq1xewAAAAY] /mediawiki/mw-config/index.php?page=Welcome Error from line 151 of /usr/share/mediawiki/includes/shell/FirejailCommand.php: Undefined constant "MediaWiki\Shell\MW_CONFIG_FILE"
I have again installed this package without issues.
Just following the instructions on the following link did the trick.
I'm not certain about the issue Herman encountered. I'm using PHP 8.1.16 (the one from the backport repositories) so maybe that makes a difference.
It would help to get a better idea if the PHP display_errors in /etc/php.ini was set to "On" to get more detailed error information.
# php --version
PHP 8.1.16 (cli) (built: Feb 15 2023 13:32:53) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.1.16, Copyright (c) Zend Technologies
with Zend OPcache v8.1.16, Copyright (c), by Zend Technologies
with Xdebug v3.1.1, Copyright (c) 2002-2021, by Derick Rethans