I've just found out that there's a new update out for mediawiki. I checked with the chanbot Sophie & 1.16 is the newest in Cauldron atm. Please add it. That'd be great.
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz
CC: (none) => kristoffer.grundstrom1983Source RPM: (none) => mediawiki
Priority: Normal => Low
Component: New RPM package request => RPM Packages
Summary: [WISH] An official update for Mediawiki is released so please build it for Cauldron a.s.a.p => [WISH] An official update for Mediawiki is released so please build it for Cauldron
assigning to maintainer for him to decide
CC: (none) => marja11Assignee: bugsquad => oliver.bgr
There is 1.18 by now. I have been looking at it, but there are quite some changes internally and I first have to be sure, everything is still working. As a second note, I have to check the compatibility of the new 1.18.x with the 1.16.x databases and see if an update doesn't break existing wiki installations. FYI: fedora rawhide is still at 1.16.5, too.
Even 1.18.1 is released: http://dumps.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.tar.gz
Here's a patch made by the Mediawiki-people as well: http://dumps.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz
(In reply to comment #5) > Here's a patch made by the Mediawiki-people as well: > http://dumps.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz Sorry, this is the right adress: http://dumps.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.patch.gz
Hi, This bug was filed against cauldron, but we do not have cauldron at the moment. Please report whether this bug is still valid for Mageia 2. Thanks :) Cheers, marja
Keywords: (none) => NEEDINFO
Security updates have been released for the 1.17, 1.18, and 1.19 branches recently, but not 1.16. This will likely be the last update for 1.17. 1.16 is no longer supported. http://www.mediawiki.org/wiki/Version_lifecycle The newest 1.18 security release is 1.18.4. According to a Gentoo advisory on June 21: http://www.gentoo.org/security/en/glsa/glsa-201206-09.xml 5 security issues were fixed in 1.18.2 and have CVEs. 1.16 is affected by at least two of these, probably three, but maybe not all 5. Nonetheless, we need to upgrade to a newer branch. Considering the EOL dates, probably 1.19 would be the best choice. More info on the CVEs from the Gentoo advisory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666269 https://bugzilla.redhat.com/show_bug.cgi?id=806363 https://bugzilla.redhat.com/show_bug.cgi?id=806357 https://bugzilla.redhat.com/show_bug.cgi?id=806350 https://bugzilla.redhat.com/show_bug.cgi?id=806343 I don't know if the security issue fixed in the newest mediawiki updates (including 1.18.4) has a CVE, but its upstream bug is here: https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
Keywords: NEEDINFO => (none)Priority: Low => NormalCC: (none) => luigiwalserComponent: RPM Packages => SecuritySummary: [WISH] An official update for Mediawiki is released so please build it for Cauldron => [SECURITY] An official update for Mediawiki is released so please build it for CauldronWhiteboard: (none) => MGA2TOO, MGA1TOOSeverity: enhancement => normal
Please look at the bottom of this mail to see whether you're the assignee of this bug, if you don't already know whether you are. If you're the assignee: We'd like to know for sure whether this bug was assigned correctly. Please change status to ASSIGNED if it is, or put OK on the whiteboard instead. If you don't have a clue and don't see a way to find out, then please put NEEDHELP on the whiteboard. Please assign back to Bug Squad or to the correct person to solve this bug if we were wrong to assign it to you, and explain why. Thanks :) **************************** @ the reporter and persons in the cc of this bug: If you have any new information that wasn't given before (like this bug being valid for another version of Mageia, too, or it being solved) please tell us. @ the reporter of this bug If you didn't reply yet to a request for more information, please do so within two weeks from now. Thanks all :-D
CC: (none) => oe
this looks weird: [08:02] <Sophie> 1.19.2-2.mga3 // core-release (Mga, cauldron, x86_64), core-release (Mga, cauldron, i586) [08:02] <Sophie> 1.19.2-1.mga3 // core-updates_testing (Mga, cauldron, x86_64), core-updates_testing (Mga, cauldron, i586) a higher version in cauldron core-release than in cauldron core-updates_testing. @ Oliver: so even if one enables the updates_testing repo to test your package, the one that is installed will be the higher version in release, or am I wrong about that? Anyway, this security bug is fixed for cauldron @ Kristoffer AFAIK, bug 7440 is still a problem for the cauldron package
Version: Cauldron => 2Summary: [SECURITY] An official update for Mediawiki is released so please build it for Cauldron => [SECURITY] An official update for Mediawiki is released so please build itWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Oliver pushed it to updates_testing in Cauldron, then someone else pushed it to release.
Ping. What's the status of this? We're running out of time to fix things for Mageia 1.
Severity: normal => major
Removing Mageia 1 from the whiteboard due to EOL. Adding Cauldron to the version, as it is vulnerable to a new CVE. http://lwn.net/Vulnerabilities/538986/ The issue is fixed in 1.19.3 according to the RedHat bug.
Version: 2 => CauldronWhiteboard: MGA1TOO => MGA2TOO
This is fixed in Cauldron as it has now been updated to 1.20.3. The Mediawiki version lifecycle has changed since I last looked at it, and they now are doing LTS releases (yes!!!): http://www.mediawiki.org/wiki/Version_lifecycle According to that it actually would have been better to stick with 1.19.x for Mageia 3, but that's OK. We can stick with 1.20.x until the end of its support lifecycle, and then update it to 1.22.x, which will carry us through the end of Mageia 3's support lifecycle, according to their current schedule. Mageia 4 will have to start with 1.22.x, but can later be upgraded to 1.23.x LTS and stick with that. For Mageia 2, we should update it to 1.19.4 if we want to fix this. http://www.mediawiki.org/wiki/Release_notes
CC: (none) => cazzaniga.sandroVersion: Cauldron => 2Whiteboard: MGA2TOO => (none)
Well that lasted long :o) Mediawiki has released 1.20.4 and 1.19.5, fixing 3 new security issues: http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000127.html
CC: (none) => oliver.bgrVersion: 2 => CauldronAssignee: oliver.bgr => cazzaniga.sandroWhiteboard: (none) => MGA2TOO
This last is on its way to Cauldron.
Thanks Sandro. mediawiki-1.20.4-1.mga3 is up.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
So can we close this bug?
(In reply to Sandro Cazzaniga from comment #18) > So can we close this bug? Of course not. This bug is for Mageia 2, which still needs an update.
oops, my mistake.
LWN reference for the 1.20.4 update: http://lwn.net/Vulnerabilities/548503/
New LWN reference for the 1.20.4 update: http://lwn.net/Vulnerabilities/548893/
Now 1.20.5 and 1.19.6 are out fixing CVE-2013-2031 and CVE-2013-2032: http://openwall.com/lists/oss-security/2013/05/01/2
Version: 2 => CauldronWhiteboard: (none) => MGA2TOO
Ok, I'm working on it right now.
Asked for push in cauldron.
mediawiki-1.20.5-1.mga3 uploaded in Cauldron. Thanks again Sandro.
LWN reference for the 1.20.5 update: http://lwn.net/Vulnerabilities/551204/
Does QA needs to validate it?
Once we get an update for Mageia 2 packaged, yes. Mageia 3 is fine at the moment.
I prepare it.
Just some things I noticed trying to configure mediawiki on Mageia 3 that you might want to fix at some point. When it checks your configuration, it gives a message: "Suhosin is installed and limits the GET parameter length to 512 bytes. MediaWiki's ResourceLoader component will work around this limit, but that will degrade performance. If at all possible, you should set suhosin.get.max_value_length to 1024 or higher in php.ini , and set $wgResourceLoaderMaxQueryLength to the same value in LocalSettings.php ." You can fix this by adding to /etc/httpd/conf/sites.d/mediawiki.conf: php_value suhosin.request.max_value_length 128 and then hopefully it'll set $wgResourceLoaderMaxQueryLength appropriately or maybe you'd have to do something so that it does in the LocalSettings.php it gives you. I don't know if it's possible, but it'd be nice if it could save the LocalSettings.php for you instead of having you download it. Speaking of which, I really don't think this particular package should store its files in /usr/share, as that configuration file goes under there, as well as any extensions you install. It should be in /var/www/mediawiki (which is there, but empty) like I did with Moodle, for the same reasons. Another issue is in /etc/httpd/conf/sites.d/mediawiki.conf, it says Require local granted, which means you can only access the wiki from localhost, which is pretty useless. It would be better if it had Require all granted so it's accessible, but also have: <Directory %{installation directory}/mw-config> Require local </Directory> So that you could only access the initial configuration thing from localhost. The Moodle package does the same thing. %{installation directory} above would be /usr/share/mediawiki as of now, or /var/www/mediawiki if that gets changed.
I cannot commit: svn: E165001: Commit blocked by pre-commit hook (exit code 1) with output: this repository is restrected to user umeabot
BTW, I'll commit 1.20.6, but I first need to do it in this order: 1.20.6 in cauldron Same in mageia 3 then in mageia 2. Thanks
(In reply to David Walser from comment #31) > You can fix this by adding to /etc/httpd/conf/sites.d/mediawiki.conf: > php_value suhosin.request.max_value_length 128 Whoops, that should have been: php_value suhosin.get.max_value_length 1024 (get, not request, and 1024, not 128).
(In reply to David Walser from comment #31) > I really don't think this particular package should store its files > in /usr/share, as that configuration file goes under there, as well as any > extensions you install. It should be in /var/www/mediawiki (which is there, > but empty) like I did with Moodle, for the same reasons. Alternatively if you want to keep most of the files in /usr/share/mediawiki for some reason, you could do something similar to Ubuntu's package where any parts that are supposed to be edited by the admin (at least the extensions directory and LocalSettings.php) are installed in /var/www/mediawiki and symlinks to there are installed in /usr/share/mediawiki.
Sucessfully sent to updates/testing for 2.
Can QA also validates mediawiki for Mageia 3? Same version, same security fixes..
CVE-2013-2114 has been assigned for the issue fixed in 1.20.6 and 1.19.7: http://openwall.com/lists/oss-security/2013/05/24/3 Let's see if we can get some of the packaging issues corrected before we push this to QA. See Comment 31, Comment 34, and Comment 35.
Version: 2 => 3Whiteboard: (none) => MGA2TOO
Currently uploaded are: mediawiki-1.20.6-1.mga2.noarch.rpm mediawiki-mysql-1.20.6-1.mga2.noarch.rpm mediawiki-pgsql-1.20.6-1.mga2.noarch.rpm mediawiki-sqlite-1.20.6-1.mga2.noarch.rpm mediawiki-1.20.6-1.mga3.noarch.rpm mediawiki-mysql-1.20.6-1.mga3.noarch.rpm mediawiki-pgsql-1.20.6-1.mga3.noarch.rpm mediawiki-sqlite-1.20.6-1.mga3.noarch.rpm from Source RPMs: mediawiki-1.20.6-1.mga2.src.rpm mediawiki-1.20.6-1.mga3.src.rpm Sandro, are we also going to backport mediawiki-math for Mageia 2?
If someone have time to do it, it would be great!
Can we close this bug?
(In reply to Sandro Cazzaniga from comment #41) > Can we close this bug? Of course not. We still have yet to issue an update for Mageia 2 or 3. I know some work has been done on it, but it's not totally ready for QA. See Comment 38.
LWN reference for the 1.20.6 update: http://lwn.net/Vulnerabilities/553299/
1.20.6 is waiting in mageia 2 and 3 in core/updates_testing..
(In reply to Sandro Cazzaniga from comment #44) > 1.20.6 is waiting in mageia 2 and 3 in core/updates_testing.. And it still isn't ready as there are issues with the package, as I said in Comment 31, Comment 34, and Comment 35. Also, as I understand it, mediawiki-math went from built-in (in the version in /release in Mageia 2) to an external module which is packaged separately, so for the Mageia 2 update, that will need backported so as to not cause regressions in the update.
(In reply to David Walser from comment #45) > And it still isn't ready as there are issues with the package, as I said in > Comment 31, Comment 34, and Comment 35. > > Also, as I understand it, mediawiki-math went from built-in (in the version > in /release in Mageia 2) to an external module which is packaged separately, > so for the Mageia 2 update, that will need backported so as to not cause > regressions in the update. Maybe the *offficial* maintainer can do something for that, I haven't much time.
CC: cazzaniga.sandro => (none)Assignee: cazzaniga.sandro => oliver.bgr
Depends on: (none) => 10784
The Mageia 3 update is being handled in Bug 10784. The Mageia 3 mediawiki-ldapauthentication update in Bug 10785 also needs to be pushed before this one. Updated packages uploaded for Mageia 2. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: This update provides MediaWiki 1.20.6, fixing several unspecified security issues. This replaces the MediaWiki 1.16.5 version, which has been EOL upstream for quite some time now, that was shipped with Mageia 2. MediaWiki removed the Math extension for the 1.18 release, but it is now available separately. It has been packaged in the mediawiki-math package. The mediawiki-graphviz and mediawiki-ldapauthentication packages have also been updated to work with the new MediaWiki packages. References: http://www.mediawiki.org/wiki/Release_notes ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.20.6-1.1.mga2 mediawiki-mysql-1.20.6-1.1.mga2 mediawiki-pgsql-1.20.6-1.1.mga2 mediawiki-sqlite-1.20.6-1.1.mga2 mediawiki-math-1.0-1.110614.1.mga2 mediawiki-ldapauthentication-2.0c-1.mga2 mediawiki-graphviz-0.9-1.89857.3.mga2 from SRPMS: mediawiki-1.20.6-1.1.mga2.src.rpm mediawiki-math-1.0-1.110614.1.mga2.src.rpm mediawiki-ldapauthentication-2.0c-1.mga2.src.rpm mediawiki-graphviz-0.9-1.89857.3.mga2.src.rpm
Version: 3 => 2Depends on: (none) => 10785Assignee: oliver.bgr => qa-bugsWhiteboard: MGA2TOO => (none)
Advisory 3448.adv added to svn. No poc, so just testing that mediawiki works. Testing shortly.
CC: (none) => davidwhodgins
Thanks Dave. Please note that the Mageia 3 updates in Bug 10784 and Bug 10785 need to be pushed before this one (or at least at the same time).
In Mageia 2, I'm getting a 403 http status code, trying to access http://localhost/mediawiki The error_log shows client denied by server configuration: /usr/share/mediawiki Bug 10784 has already been validated. I'll take a look at bug 10785 now.
Whiteboard: (none) => feedback
Ahh, sorry. I had Apache 2.4 syntax in the /etc/httpd/conf/webapps.d/mediawiki.conf file. I've replaced it with Apache 2.2 syntax and rebuilt mediawiki. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: This update provides MediaWiki 1.20.6, fixing several unspecified security issues. This replaces the MediaWiki 1.16.5 version, which has been EOL upstream for quite some time now, that was shipped with Mageia 2. MediaWiki removed the Math extension for the 1.18 release, but it is now available separately. It has been packaged in the mediawiki-math package. The mediawiki-graphviz and mediawiki-ldapauthentication packages have also been updated to work with the new MediaWiki packages. References: http://www.mediawiki.org/wiki/Release_notes ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.20.6-1.2.mga2 mediawiki-mysql-1.20.6-1.2.mga2 mediawiki-pgsql-1.20.6-1.2.mga2 mediawiki-sqlite-1.20.6-1.2.mga2 mediawiki-math-1.0-1.110614.1.mga2 mediawiki-ldapauthentication-2.0c-1.mga2 mediawiki-graphviz-0.9-1.89857.3.mga2 from SRPMS: mediawiki-1.20.6-1.2.mga2.src.rpm mediawiki-math-1.0-1.110614.1.mga2.src.rpm mediawiki-ldapauthentication-2.0c-1.mga2.src.rpm mediawiki-graphviz-0.9-1.89857.3.mga2.src.rpm
Whiteboard: feedback => (none)
Advisory 3448.adv updated in svn, for the new srpm. Testing shortly.
Ah. Have to wait for the mirrors to sync. I'll leave this till tomorrow, unless someone else does it before I start testing again.
Testing complete on Mageia 2 i586 and x86_64. Could someone from the sysadmin team push 3448.adv to updates.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0226.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED