Bug 3448 - [SECURITY] An official update for Mediawiki is released so please build it
: [SECURITY] An official update for Mediawiki is released so please build it
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
:
: MGA2-64-OK MGA2-32-OK
: validated_update
: 10784 10785
:
  Show dependency treegraph
 
Reported: 2011-11-25 09:04 CET by Kristoffer Grundström
Modified: 2013-07-21 22:13 CEST (History)
8 users (show)

See Also:
Source RPM: mediawiki
CVE:
Status comment:


Attachments

Description Kristoffer Grundström 2011-11-25 09:04:47 CET
I've just found out that there's a new update out for mediawiki. I checked with the chanbot Sophie & 1.16 is the newest in Cauldron atm. Please add it. That'd be great.
Comment 2 Marja van Waes 2012-01-22 19:55:15 CET
assigning to maintainer for him to decide
Comment 3 Oliver Burger 2012-01-23 09:01:59 CET
There is 1.18 by now. I have been looking at it, but there are quite some changes internally and I first have to be sure, everything is still working.

As a second note, I have to check the compatibility of the new 1.18.x with the 1.16.x databases and see if an update doesn't break existing wiki installations.

FYI: fedora rawhide is still at 1.16.5, too.
Comment 4 Kristoffer Grundström 2012-01-24 01:11:22 CET
Even 1.18.1 is released: http://dumps.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.tar.gz
Comment 5 Kristoffer Grundström 2012-01-24 01:12:16 CET
Here's a patch made by the Mediawiki-people as well: http://dumps.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz
Comment 6 Kristoffer Grundström 2012-01-24 01:13:09 CET
(In reply to comment #5)
> Here's a patch made by the Mediawiki-people as well:
> http://dumps.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz

Sorry, this is the right adress: http://dumps.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.patch.gz
Comment 7 Marja van Waes 2012-05-26 13:07:19 CEST
Hi,

This bug was filed against cauldron, but we do not have cauldron at the moment.

Please report whether this bug is still valid for Mageia 2.

Thanks :)

Cheers,
marja
Comment 8 David Walser 2012-06-23 00:19:04 CEST
Security updates have been released for the 1.17, 1.18, and 1.19 branches recently, but not 1.16.  This will likely be the last update for 1.17.  1.16 is no longer supported.
http://www.mediawiki.org/wiki/Version_lifecycle

The newest 1.18 security release is 1.18.4.

According to a Gentoo advisory on June 21:
http://www.gentoo.org/security/en/glsa/glsa-201206-09.xml

5 security issues were fixed in 1.18.2 and have CVEs.  1.16 is affected by at least two of these, probably three, but maybe not all 5.  Nonetheless, we need to upgrade to a newer branch.  Considering the EOL dates, probably 1.19 would be the best choice.

More info on the CVEs from the Gentoo advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666269
https://bugzilla.redhat.com/show_bug.cgi?id=806363
https://bugzilla.redhat.com/show_bug.cgi?id=806357
https://bugzilla.redhat.com/show_bug.cgi?id=806350
https://bugzilla.redhat.com/show_bug.cgi?id=806343

I don't know if the security issue fixed in the newest mediawiki updates (including 1.18.4) has a CVE, but its upstream bug is here:
https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
Comment 9 Marja van Waes 2012-07-06 15:04:03 CEST
Please look at the bottom of this mail to see whether you're the assignee of this  bug, if you don't already know whether you are.


If you're the assignee:

We'd like to know for sure whether this bug was assigned correctly. Please change status to ASSIGNED if it is, or put OK on the whiteboard instead.

If you don't have a clue and don't see a way to find out, then please put NEEDHELP on the whiteboard.

Please assign back to Bug Squad or to the correct person to solve this bug if we were wrong to assign it to you, and explain why.

Thanks :)

**************************** 

@ the reporter and persons in the cc of this bug:

If you have any new information that wasn't given before (like this bug being valid for another version of Mageia, too, or it being solved) please tell us.

@ the reporter of this bug

If you didn't reply yet to a request for more information, please do so within two weeks from now.

Thanks all :-D
Comment 10 Marja van Waes 2012-10-10 08:12:00 CEST
this looks weird:

[08:02] <Sophie> 1.19.2-2.mga3 // core-release (Mga, cauldron, x86_64), core-release (Mga, cauldron, i586)
[08:02] <Sophie> 1.19.2-1.mga3 // core-updates_testing (Mga, cauldron, x86_64), core-updates_testing (Mga, cauldron, i586)

a higher version in cauldron core-release than in cauldron core-updates_testing.

@ Oliver: so even if one enables the updates_testing repo to test your package, the one that is installed will be the higher version in release, or am I wrong about that?

Anyway, this security bug is fixed for cauldron

@ Kristoffer
AFAIK, bug 7440 is still a problem for the cauldron package
Comment 11 David Walser 2012-10-10 12:22:56 CEST
Oliver pushed it to updates_testing in Cauldron, then someone else pushed it to release.
Comment 12 David Walser 2012-11-20 17:05:38 CET
Ping.  What's the status of this?

We're running out of time to fix things for Mageia 1.
Comment 13 David Walser 2013-02-19 22:45:41 CET
Removing Mageia 1 from the whiteboard due to EOL.

Adding Cauldron to the version, as it is vulnerable to a new CVE.

http://lwn.net/Vulnerabilities/538986/

The issue is fixed in 1.19.3 according to the RedHat bug.
Comment 14 David Walser 2013-04-13 17:28:07 CEST
This is fixed in Cauldron as it has now been updated to 1.20.3.

The Mediawiki version lifecycle has changed since I last looked at it, and they now are doing LTS releases (yes!!!):
http://www.mediawiki.org/wiki/Version_lifecycle

According to that it actually would have been better to stick with 1.19.x for Mageia 3, but that's OK.  We can stick with 1.20.x until the end of its support lifecycle, and then update it to 1.22.x, which will carry us through the end of Mageia 3's support lifecycle, according to their current schedule.

Mageia 4 will have to start with 1.22.x, but can later be upgraded to 1.23.x LTS and stick with that.

For Mageia 2, we should update it to 1.19.4 if we want to fix this.

http://www.mediawiki.org/wiki/Release_notes
Comment 15 David Walser 2013-04-18 02:53:21 CEST
Well that lasted long :o)

Mediawiki has released 1.20.4 and 1.19.5, fixing 3 new security issues:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000127.html
Comment 16 Sandro Cazzaniga 2013-04-18 14:44:41 CEST
This last is on its way to Cauldron.
Comment 17 David Walser 2013-04-18 20:14:12 CEST
Thanks Sandro.  mediawiki-1.20.4-1.mga3 is up.
Comment 18 Sandro Cazzaniga 2013-04-18 21:23:35 CEST
So can we close this bug?
Comment 19 David Walser 2013-04-18 22:41:38 CEST
(In reply to Sandro Cazzaniga from comment #18)
> So can we close this bug?

Of course not.  This bug is for Mageia 2, which still needs an update.
Comment 20 Sandro Cazzaniga 2013-04-19 07:29:05 CEST
oops, my mistake.
Comment 21 David Walser 2013-04-25 19:36:54 CEST
LWN reference for the 1.20.4 update:
http://lwn.net/Vulnerabilities/548503/
Comment 22 David Walser 2013-04-30 19:50:47 CEST
New LWN reference for the 1.20.4 update:
http://lwn.net/Vulnerabilities/548893/
Comment 23 David Walser 2013-05-02 14:30:28 CEST
Now 1.20.5 and 1.19.6 are out fixing CVE-2013-2031 and CVE-2013-2032:
http://openwall.com/lists/oss-security/2013/05/01/2
Comment 24 Sandro Cazzaniga 2013-05-04 09:51:25 CEST
Ok, I'm working on it right now.
Comment 25 Sandro Cazzaniga 2013-05-04 10:14:42 CEST
Asked for push in cauldron.
Comment 26 David Walser 2013-05-05 00:00:41 CEST
mediawiki-1.20.5-1.mga3 uploaded in Cauldron.  Thanks again Sandro.
Comment 27 David Walser 2013-05-20 20:11:18 CEST
LWN reference for the 1.20.5 update:
http://lwn.net/Vulnerabilities/551204/
Comment 28 Sandro Cazzaniga 2013-05-21 07:21:19 CEST
Does QA needs to validate it?
Comment 29 David Walser 2013-05-21 13:31:17 CEST
Once we get an update for Mageia 2 packaged, yes.  Mageia 3 is fine at the moment.
Comment 30 Sandro Cazzaniga 2013-05-21 13:33:42 CEST
I prepare it.
Comment 31 David Walser 2013-05-22 00:58:48 CEST
Just some things I noticed trying to configure mediawiki on Mageia 3 that you might want to fix at some point.

When it checks your configuration, it gives a message:
"Suhosin is installed and limits the GET parameter length to 512
bytes. MediaWiki's ResourceLoader component will work around this
limit, but that will degrade performance. If at all possible, you
should set suhosin.get.max_value_length to 1024 or higher in php.ini ,
and set $wgResourceLoaderMaxQueryLength to the same value in
LocalSettings.php ."

You can fix this by adding to /etc/httpd/conf/sites.d/mediawiki.conf:
    php_value suhosin.request.max_value_length        128

and then hopefully it'll set $wgResourceLoaderMaxQueryLength appropriately or maybe you'd have to do something so that it does in the LocalSettings.php it gives you.

I don't know if it's possible, but it'd be nice if it could save the LocalSettings.php for you instead of having you download it.  Speaking of which, I really don't think this particular package should store its files in /usr/share, as that configuration file goes under there, as well as any extensions you install.  It should be in /var/www/mediawiki (which is there, but empty) like I did with Moodle, for the same reasons.

Another issue is in /etc/httpd/conf/sites.d/mediawiki.conf, it says Require local granted, which means you can only access the wiki from localhost, which is pretty useless.  It would be better if it had Require all granted so it's accessible, but also have:
<Directory %{installation directory}/mw-config>
    Require local
</Directory>

So that you could only access the initial configuration thing from localhost.  The Moodle package does the same thing.  %{installation directory} above would be /usr/share/mediawiki as of now, or /var/www/mediawiki if that gets changed.
Comment 32 Sandro Cazzaniga 2013-05-22 07:24:55 CEST
I cannot commit:

svn: E165001: Commit blocked by pre-commit hook (exit code 1) with output:
this repository is restrected to user umeabot
Comment 33 Sandro Cazzaniga 2013-05-22 11:19:17 CEST
BTW, I'll commit 1.20.6, but I first need to do it in this order:

1.20.6 in cauldron
Same in mageia 3
then in mageia 2.

Thanks
Comment 34 David Walser 2013-05-22 20:55:04 CEST
(In reply to David Walser from comment #31)
> You can fix this by adding to /etc/httpd/conf/sites.d/mediawiki.conf:
>     php_value suhosin.request.max_value_length        128

Whoops, that should have been:
     php_value suhosin.get.max_value_length        1024

(get, not request, and 1024, not 128).
Comment 35 David Walser 2013-05-22 21:48:08 CEST
(In reply to David Walser from comment #31)
> I really don't think this particular package should store its files
> in /usr/share, as that configuration file goes under there, as well as any
> extensions you install.  It should be in /var/www/mediawiki (which is there,
> but empty) like I did with Moodle, for the same reasons.

Alternatively if you want to keep most of the files in /usr/share/mediawiki for some reason, you could do something similar to Ubuntu's package where any parts that are supposed to be edited by the admin (at least the extensions directory and LocalSettings.php) are installed in /var/www/mediawiki and symlinks to there are installed in /usr/share/mediawiki.
Comment 36 Sandro Cazzaniga 2013-05-23 10:58:42 CEST
Sucessfully sent to updates/testing for 2.
Comment 37 Sandro Cazzaniga 2013-05-23 22:19:04 CEST
Can QA also validates mediawiki for Mageia 3? Same version, same security fixes..
Comment 38 David Walser 2013-05-24 20:23:34 CEST
CVE-2013-2114 has been assigned for the issue fixed in 1.20.6 and 1.19.7:
http://openwall.com/lists/oss-security/2013/05/24/3

Let's see if we can get some of the packaging issues corrected before we push this to QA.  See Comment 31, Comment 34, and Comment 35.
Comment 39 David Walser 2013-05-24 20:25:55 CEST
Currently uploaded are:
mediawiki-1.20.6-1.mga2.noarch.rpm
mediawiki-mysql-1.20.6-1.mga2.noarch.rpm
mediawiki-pgsql-1.20.6-1.mga2.noarch.rpm
mediawiki-sqlite-1.20.6-1.mga2.noarch.rpm
mediawiki-1.20.6-1.mga3.noarch.rpm
mediawiki-mysql-1.20.6-1.mga3.noarch.rpm
mediawiki-pgsql-1.20.6-1.mga3.noarch.rpm
mediawiki-sqlite-1.20.6-1.mga3.noarch.rpm

from Source RPMs:
mediawiki-1.20.6-1.mga2.src.rpm
mediawiki-1.20.6-1.mga3.src.rpm

Sandro, are we also going to backport mediawiki-math for Mageia 2?
Comment 40 Sandro Cazzaniga 2013-05-25 15:11:16 CEST
If someone have time to do it, it would be great!
Comment 41 Sandro Cazzaniga 2013-06-07 09:53:51 CEST
Can we close this bug?
Comment 42 David Walser 2013-06-07 12:37:44 CEST
(In reply to Sandro Cazzaniga from comment #41)
> Can we close this bug?

Of course not.  We still have yet to issue an update for Mageia 2 or 3.  I know some work has been done on it, but it's not totally ready for QA.  See Comment 38.
Comment 43 David Walser 2013-06-07 18:58:18 CEST
LWN reference for the 1.20.6 update:
http://lwn.net/Vulnerabilities/553299/
Comment 44 Sandro Cazzaniga 2013-06-29 21:13:08 CEST
1.20.6 is waiting in mageia 2 and 3 in core/updates_testing..
Comment 45 David Walser 2013-06-29 21:57:34 CEST
(In reply to Sandro Cazzaniga from comment #44)
> 1.20.6 is waiting in mageia 2 and 3 in core/updates_testing..

And it still isn't ready as there are issues with the package, as I said in Comment 31, Comment 34, and Comment 35.

Also, as I understand it, mediawiki-math went from built-in (in the version in /release in Mageia 2) to an external module which is packaged separately, so for the Mageia 2 update, that will need backported so as to not cause regressions in the update.
Comment 46 Sandro Cazzaniga 2013-06-30 09:07:27 CEST
(In reply to David Walser from comment #45)
> And it still isn't ready as there are issues with the package, as I said in
> Comment 31, Comment 34, and Comment 35.
> 
> Also, as I understand it, mediawiki-math went from built-in (in the version
> in /release in Mageia 2) to an external module which is packaged separately,
> so for the Mageia 2 update, that will need backported so as to not cause
> regressions in the update.

Maybe the *offficial* maintainer can do something for that, I haven't much time.
Comment 47 David Walser 2013-07-19 17:30:08 CEST
The Mageia 3 update is being handled in Bug 10784.

The Mageia 3 mediawiki-ldapauthentication update in Bug 10785 also needs to be pushed before this one.

Updated packages uploaded for Mageia 2.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

This update provides MediaWiki 1.20.6, fixing several unspecified security
issues.  This replaces the MediaWiki 1.16.5 version, which has been EOL
upstream for quite some time now, that was shipped with Mageia 2.

MediaWiki removed the Math extension for the 1.18 release, but it is now
available separately.  It has been packaged in the mediawiki-math package.

The mediawiki-graphviz and mediawiki-ldapauthentication packages have also
been updated to work with the new MediaWiki packages.

References:
http://www.mediawiki.org/wiki/Release_notes
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.20.6-1.1.mga2
mediawiki-mysql-1.20.6-1.1.mga2
mediawiki-pgsql-1.20.6-1.1.mga2
mediawiki-sqlite-1.20.6-1.1.mga2
mediawiki-math-1.0-1.110614.1.mga2
mediawiki-ldapauthentication-2.0c-1.mga2
mediawiki-graphviz-0.9-1.89857.3.mga2

from SRPMS:
mediawiki-1.20.6-1.1.mga2.src.rpm
mediawiki-math-1.0-1.110614.1.mga2.src.rpm
mediawiki-ldapauthentication-2.0c-1.mga2.src.rpm
mediawiki-graphviz-0.9-1.89857.3.mga2.src.rpm
Comment 48 Dave Hodgins 2013-07-21 03:21:12 CEST
Advisory 3448.adv added to svn.

No poc, so just testing that mediawiki works. Testing shortly.
Comment 49 David Walser 2013-07-21 03:22:49 CEST
Thanks Dave.  Please note that the Mageia 3 updates in Bug 10784 and Bug 10785 need to be pushed before this one (or at least at the same time).
Comment 50 Dave Hodgins 2013-07-21 03:45:00 CEST
In Mageia 2, I'm getting a 403 http status code, trying to access
http://localhost/mediawiki

The error_log shows
client denied by server configuration: /usr/share/mediawiki

Bug 10784 has already been validated.

I'll take a look at bug 10785 now.
Comment 51 David Walser 2013-07-21 03:55:26 CEST
Ahh, sorry.  I had Apache 2.4 syntax in the /etc/httpd/conf/webapps.d/mediawiki.conf file.  I've replaced it with Apache 2.2 syntax and rebuilt mediawiki.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

This update provides MediaWiki 1.20.6, fixing several unspecified security
issues.  This replaces the MediaWiki 1.16.5 version, which has been EOL
upstream for quite some time now, that was shipped with Mageia 2.

MediaWiki removed the Math extension for the 1.18 release, but it is now
available separately.  It has been packaged in the mediawiki-math package.

The mediawiki-graphviz and mediawiki-ldapauthentication packages have also
been updated to work with the new MediaWiki packages.

References:
http://www.mediawiki.org/wiki/Release_notes
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.20.6-1.2.mga2
mediawiki-mysql-1.20.6-1.2.mga2
mediawiki-pgsql-1.20.6-1.2.mga2
mediawiki-sqlite-1.20.6-1.2.mga2
mediawiki-math-1.0-1.110614.1.mga2
mediawiki-ldapauthentication-2.0c-1.mga2
mediawiki-graphviz-0.9-1.89857.3.mga2

from SRPMS:
mediawiki-1.20.6-1.2.mga2.src.rpm
mediawiki-math-1.0-1.110614.1.mga2.src.rpm
mediawiki-ldapauthentication-2.0c-1.mga2.src.rpm
mediawiki-graphviz-0.9-1.89857.3.mga2.src.rpm
Comment 52 Dave Hodgins 2013-07-21 05:08:06 CEST
Advisory 3448.adv updated in svn, for the new srpm. Testing shortly.
Comment 53 Dave Hodgins 2013-07-21 05:09:53 CEST
Ah. Have to wait for the mirrors to sync. I'll leave this till tomorrow,
unless someone else does it before I start testing again.
Comment 54 Dave Hodgins 2013-07-21 20:49:13 CEST
Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push 3448.adv to updates.
Comment 55 Thomas Backlund 2013-07-21 22:13:33 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0226.html

Note You need to log in before you can comment on or make changes to this bug.