Bug 31463 - mediawiki new security issues fixed upstream in 1.35.10
Summary: mediawiki new security issues fixed upstream in 1.35.10
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-01-27 16:40 CET by David Walser
Modified: 2023-06-28 07:22 CEST (History)
5 users (show)

See Also:
Source RPM: mediawiki-1.35.8-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-01-27 16:40:03 CET
Upstream has announced version 1.35.9 on December 22:
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/

Fedora has issued an advisory for this today (January 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/

CVE-2022-47927 is the only security issue mentioned by the upstream announcement, and Fedora missed the previous update so we already handled CVE-2022-4176[57] in Bug 30943 (and CVE-2021-4485[4-6] in Bug 29772), but CVE-2023-22909 (T320987) and CVE-2023-22911 (T149488) are also fixed in this update, and CVE-2023-22945 only affected the 1.39 branch.
Comment 1 David Walser 2023-01-27 16:43:39 CET
Updated packages uploaded for Mageia 8 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

An issue was discovered in MediaWiki before 1.35.9. When installing with a
pre-existing data directory that has weak permissions, the SQLite files are
created with file mode 0644, i.e., world readable to local users. These files
include credentials data (CVE-2022-47927).

An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory
allows remote attackers to cause a denial of service because database queries
are slow (CVE-2023-22909).

An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget
replacement in HTML attributes, which can lead to XSS, because widget authors
often do not expect that their widget is executed in an HTML attribute
context (CVE-2023-22911).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22911
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.35.9-1.mga8
mediawiki-mysql-1.35.9-1.mga8
mediawiki-pgsql-1.35.9-1.mga8
mediawiki-sqlite-1.35.9-1.mga8

from mediawiki-1.35.9-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => major

Comment 2 PC LX 2023-01-28 15:00:00 CET
The package installation worked correctly. Other than the issue I reported before at bug 27781, it worked correctly.

System: Mageia 8, x86_64.


# uname -a
Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q mediawiki
mediawiki-1.35.9-1.mga8

CC: (none) => mageia

Comment 3 PC LX 2023-01-28 15:02:08 CET
Forgot to mention that its using a sqlite database.

# rpm -qa | grep mediawiki
mediawiki-1.35.9-1.mga8
mediawiki-sqlite-1.35.9-1.mga8
Comment 4 Herman Viaene 2023-01-30 11:06:40 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues, deleting /var/www/mediawiki from previous updates before installation
Started mysqld and httpd, went to the mediawiki installation page and bumped onto error in the Welocome page - Environmental checks:
PHP 8.0.27 is installed.

[Y9eVH1MeEC25TDsXhq1xewAAAAY] /mediawiki/mw-config/index.php?page=Welcome Error from line 151 of /usr/share/mediawiki/includes/shell/FirejailCommand.php: Undefined constant "MediaWiki\Shell\MW_CONFIG_FILE"

CC: (none) => herman.viaene

Comment 5 PC LX 2023-02-26 12:46:59 CET
I have again installed this package without issues.

Just following the instructions on the following link did the trick.
https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Installing_MediaWiki

I'm not certain about the issue Herman encountered. I'm using PHP 8.1.16 (the one from the backport repositories) so maybe that makes a difference.

It would help to get a better idea if the PHP display_errors in /etc/php.ini was set to "On" to get more detailed error information.

# php --version
PHP 8.1.16 (cli) (built: Feb 15 2023 13:32:53) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.1.16, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.16, Copyright (c), by Zend Technologies
    with Xdebug v3.1.1, Copyright (c) 2002-2021, by Derick Rethans
Comment 6 David Walser 2023-04-10 22:40:37 CEST
Upstream has announced version 1.35.10 on March 30:
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/

Fedora has issued an advisory for this today (April 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/


Updated packages uploaded for Mageia 8 and Cauldron (pending freeze move).

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649).

An issue was discovered in MediaWiki before 1.35.9. When installing with a
pre-existing data directory that has weak permissions, the SQLite files are
created with file mode 0644, i.e., world readable to local users. These files
include credentials data (CVE-2022-47927).

An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory
allows remote attackers to cause a denial of service because database queries
are slow (CVE-2023-22909).

An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget
replacement in HTML attributes, which can lead to XSS, because widget authors
often do not expect that their widget is executed in an HTML attribute
context (CVE-2023-22911).

An issue was discovered in MediaWiki before 1.35.10. An auto-block can occur
for an untrusted X-Forwarded-For header (CVE-2023-29141).

OATHAuth allows replay attacks when MediaWiki is configured without
ObjectCache; Insecure Default Configuration (T330086).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29141
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.35.10-1.mga8
mediawiki-mysql-1.35.10-1.mga8
mediawiki-pgsql-1.35.10-1.mga8
mediawiki-sqlite-1.35.10-1.mga8

from mediawiki-1.35.10-1.mga8.src.rpm

Summary: mediawiki new security issues fixed upstream in 1.35.9 => mediawiki new security issues fixed upstream in 1.35.10

Comment 7 David Walser 2023-04-17 15:31:26 CEST
Freeze move has been completed.
Comment 8 Herman Viaene 2023-04-26 11:33:46 CEST
Deleted existing database in mysql, deleted the /var/www/mediawiki and /etc/mediawiki, created new database wit phpmyadmin and launched the setup and got stuck at the same error as above:
PHP 8.0.28 is installed.

[ZEjvDlbwJ0rGu7zoQ81AFgAAAAQ] /mediawiki/mw-config/index.php?page=Welcome Error from line 151 of /usr/share/mediawiki/includes/shell/FirejailCommand.php: Undefined constant "MediaWiki\Shell\MW_CONFIG_FILE"
Comment 9 David Walser 2023-05-07 22:36:18 CEST
There haven't been any changes to FirejailCommand.php or any changes referencing MW_CONFIG_FILE in the last two updates.
Comment 10 Herman Viaene 2023-06-20 11:02:48 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Did the installation on a clean M8 setup (see bug 31997) and run thru the setup as described in the wiki using mysql as database.
Setup works OK and created a first page.

Whiteboard: (none) => MGA8-64-OK

Comment 11 Thomas Andrews 2023-06-20 16:34:32 CEST
Validating. Advisory in comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-27 22:33:24 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2023-06-28 07:22:58 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0204.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.