Fedora 36: 2022-09-09 MediaWiki Security Advisory - Critical Fixes

MediaWiki is the software used for Wikipedia and the other Wikimedia

Foundation websites. Compared to other wikis, it has an excellent

range of features and support for high-traffic websites using multiple

servers

This package supports wiki farms. Read the instructions for creating wiki

instances under /usr/share/doc/mediawiki/README.RPM.

Remember to remove the config dir after completing the configuration.

MediaWiki 1.37.4 This is a maintenance release of the MediaWiki 1.37 branch.

Changes since MediaWiki 1.37.3 Localisation updates. (T311568)

UploadBase::setTempFile() handle $tempPath being passed as null. (T311559)

SpecialListFiles: user parameter isn't always present. (T311561)

ImageListPager: Don't call htmlspecialchars() on null. (T311920)

SpecialBlockList: Prevent passing null to trim(). (T311921)

SpecialUserrights: Don't pass null to str_replace. (T311570)

SpecialWithoutInterwiki: Don't pass null through to Title::capitalize().

(T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser.

(T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor. (T296435, T297669)

cache: Add four fields to LinkCache::getSelectFields. MediaWiki 1.37.3 This is

a security and maintenance release of the MediaWiki 1.37 branch. Changes since

MediaWiki 1.37.2 Localisation updates. (T289879) Type hints for

ArrayAccess and JsonSerializable. (T304783) TemplateParser: avoid warnings

when called by NoLocalSettings. Rebuilt vendor with composer 2.3.3. Fix

old_name in UserLogoutComplete hook. (T289879) Address some deprecations for

PHP 8.1. (T193565) UserGroupManager: Fix dbDomain in addUserToGroup()

deferred update. (T309114) LocalFile::prerenderThumbnails: Limit the number

of thumbnail jobs triggered. (T307982) Updated wikimedia/parsoid from

v0.14.0 to v0.14.1. (T308471) SECURITY: Escape welcomeuser message passed to

showSuccessPage(). (T308473) SECURITY: Escape contributions-title msg for

use within page title. (T311272) Call parent constructor of AddSite

maintenance script first. MediaWiki: Don't eagerly initialize action name.

Updated wikimedia/shellbox from v2.0.0 to v2.1.1. (T311384, CVE-2022-27776)

Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5. (T289926) Avoid passing null

to trim() in SkinTemplate. (T311473) rollbackEdits: Pass user identity to

RollbackPage. (T307282) Avoid passing null to strcasecmp(), for PHP 8.1.

(T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null.

(T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode().

(T311569) FileBackend::isStoragePath() Handle being passed null. (T311544)

Pass int to ApiUsageException::newWithMessage()'s $httpCode param. (T311678)

SpecialEditWatchlist: Prevent passing null to strtolower(). (T281741)

ChangeTags: Fix adding CSS classes for hidden tags. (T296642) changetags:

Fix management of a '0' tag. (T311554) ChangeTags: Return early in

formatSummaryRow() if $tags === null. (T303033) Handle null in

ChangeTags::modifyDisplayQuery. Updated wikimedia/common-passwords from

0.3.0 to 0.4.0.

* Thu Sep 1 2022 Michael Cronenworth - 1.37.4-1

- Update to 1.37.4

[ 1 ] Bug #2101639 - MediaWiki 1.37.2 pulls in version of dependency (Parsoid 0.14.0) broken with PHP 8.1

https://bugzilla.redhat.com/show_bug.cgi?id=2101639

[ 2 ] Bug #2102955 - mediawiki-1.38.2 is available

https://bugzilla.redhat.com/show_bug.cgi?id=2102955

[ 3 ] Bug #2112771 - CVE-2022-34911 mediawiki: Cross-site Scripting [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2112771

[ 4 ] Bug #2112773 - CVE-2022-34912 mediawiki: Username not escaped in the contributions-title message [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2112773

su -c 'dnf upgrade --advisory FEDORA-2022-f83aec6d57' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam, report it: