Bug 31463 - mediawiki new security issues fixed upstream in 1.35.9
Summary: mediawiki new security issues fixed upstream in 1.35.9
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Depends on:
Reported: 2023-01-27 16:40 CET by David Walser
Modified: 2023-02-26 12:46 CET (History)
2 users (show)

See Also:
Source RPM: mediawiki-1.35.8-1.mga8.src.rpm
Status comment:


Description David Walser 2023-01-27 16:40:03 CET
Upstream has announced version 1.35.9 on December 22:

Fedora has issued an advisory for this today (January 27):

CVE-2022-47927 is the only security issue mentioned by the upstream announcement, and Fedora missed the previous update so we already handled CVE-2022-4176[57] in Bug 30943 (and CVE-2021-4485[4-6] in Bug 29772), but CVE-2023-22909 (T320987) and CVE-2023-22911 (T149488) are also fixed in this update, and CVE-2023-22945 only affected the 1.39 branch.
Comment 1 David Walser 2023-01-27 16:43:39 CET
Updated packages uploaded for Mageia 8 and Cauldron.


Updated mediawiki packages fix security vulnerabilities:

An issue was discovered in MediaWiki before 1.35.9. When installing with a
pre-existing data directory that has weak permissions, the SQLite files are
created with file mode 0644, i.e., world readable to local users. These files
include credentials data (CVE-2022-47927).

An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory
allows remote attackers to cause a denial of service because database queries
are slow (CVE-2023-22909).

An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget
replacement in HTML attributes, which can lead to XSS, because widget authors
often do not expect that their widget is executed in an HTML attribute
context (CVE-2023-22911).


Updated packages in core/updates_testing:

from mediawiki-1.35.9-1.mga8.src.rpm

Severity: normal => major
Assignee: bugsquad => qa-bugs

Comment 2 PC LX 2023-01-28 15:00:00 CET
The package installation worked correctly. Other than the issue I reported before at bug 27781, it worked correctly.

System: Mageia 8, x86_64.

# uname -a
Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q mediawiki

CC: (none) => mageia

Comment 3 PC LX 2023-01-28 15:02:08 CET
Forgot to mention that its using a sqlite database.

# rpm -qa | grep mediawiki
Comment 4 Herman Viaene 2023-01-30 11:06:40 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues, deleting /var/www/mediawiki from previous updates before installation
Started mysqld and httpd, went to the mediawiki installation page and bumped onto error in the Welocome page - Environmental checks:
PHP 8.0.27 is installed.

[Y9eVH1MeEC25TDsXhq1xewAAAAY] /mediawiki/mw-config/index.php?page=Welcome Error from line 151 of /usr/share/mediawiki/includes/shell/FirejailCommand.php: Undefined constant "MediaWiki\Shell\MW_CONFIG_FILE"

CC: (none) => herman.viaene

Comment 5 PC LX 2023-02-26 12:46:59 CET
I have again installed this package without issues.

Just following the instructions on the following link did the trick.

I'm not certain about the issue Herman encountered. I'm using PHP 8.1.16 (the one from the backport repositories) so maybe that makes a difference.

It would help to get a better idea if the PHP display_errors in /etc/php.ini was set to "On" to get more detailed error information.

# php --version
PHP 8.1.16 (cli) (built: Feb 15 2023 13:32:53) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.1.16, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.16, Copyright (c), by Zend Technologies
    with Xdebug v3.1.1, Copyright (c) 2002-2021, by Derick Rethans

Note You need to log in before you can comment on or make changes to this bug.