Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47927: Security and maintenance release: 1.35.9 / 1.38.5 / 1.39.1 - MediaWiki-announce

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data.

CVE
#sql#git#php

I would like to announce the release of MediaWiki 1.35.9, 1.38.5 and 1.39.1! The security fix included in this release was considered low risk, hence the lack of a pre-release announcement. It only takes effect on new installs using SQLite. If you’re using SQLite already on a shared host, you may want to check the file permissions of the database file, and stop them being readable by "everyone". More information can be found on the linked task, T322637. These releases also serve as a maintenance release for these branches. The tarballs have already been uploaded as of this e-mail, and the git tags have been pushed. A “MediaWiki Extensions Security Release Supplement” e-mail will follow this one, covering security updates for non-bundled extensions. Various patches aimed at PHP 8.0, 8.1, and 8.2 support have been back-ported. This should fix a lot of log spam, and MediaWiki should work on both released versions (PHP 8.0 and 8.1). Reports of bugs with PHP 8.0, 8.1, or 8.2 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/ and https://phabricator.wikimedia.org/tag/php_8.2_support/ for the relevant work boards. As a reminder, 1.37 became end of life (EOL) in November 2022. It is recommended to upgrade to 1.38, or to 1.39 (the next LTS after 1.35) which was released in November 2022. == Security fixes == * (T322637, CVE-2022-PENDING) SECURITY: Make sqlite DB files not world readable. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T322637 == Release notes == Full release notes for 1.35.9: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.35 Full release notes for 1.38.5: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.38 Full release notes for 1.39.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.39 For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.tar.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.9.tar.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.9.zip Patch to previous version (1.35.8): https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.patch.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.9.tar.gz.… https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.9.zip.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.zip.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.5.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.5.zip Patch to previous version (1.38.4): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.5.tar.gz.… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.5.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.1.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.1.zip Patch to previous version (1.39.0): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.1.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

Related news

Gentoo Linux Security Advisory 202305-24

Gentoo Linux Security Advisory 202305-24 - Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. Versions greater than or equal to 1.25.2 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907