Upstream has announced version 1.35.11 on June 30: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/ Debian has issued an advisory for this on July 5: https://www.debian.org/security/2023/dsa-5447 Updated packages uploaded for Mageia 8 and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n (CVE-2023-29197). Manualthumb bypasses badFile lookup (CVE-2023-36674). XSS in BlockLogFormatter due to unsafe message use (CVE-2023-36675). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36674 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36675 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/ ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.35.11-1.mga8 mediawiki-mysql-1.35.11-1.mga8 mediawiki-pgsql-1.35.11-1.mga8 mediawiki-sqlite-1.35.11-1.mga8 from mediawiki-1.35.11-1.mga8.src.rpm
Whiteboard: (none) => MGA8TOO
CC: (none) => mageia
Installed and tested without regressions. Using sqlite as this is a personal site with low load. Had to change the apache configuration as reported in bug 27781 and also did some minor changes so that it is accessed only from the local network. System: Mageia 8, x86_64. # uname -a Linux marte 6.1.34-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Wed Jun 14 19:14:11 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux # rpm -qa | grep mediawiki mediawiki-sqlite-1.35.11-1.mga8 mediawiki-1.35.11-1.mga8
CC'ing sysadmin-bugs, still waiting for this to be moved in Cauldron.
CC: (none) => sysadmin-bugs
This update has been working without issue for more than a week, in Mageia 8, so I'm giving it an OK. It still needs the packages for cauldron and the corresponding testing.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
It's still in updates_testing in Cauldron and needs to be moved.
Moved in Cauldron.
Version: Cauldron => 8Whiteboard: MGA8TOO MGA8-64-OK => MGA8-64-OKCC: sysadmin-bugs => (none)
Validating. Advisory in comment 0.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0241.html
Status: NEW => RESOLVEDResolution: (none) => FIXED