"The security fix included in this release was considered low risk, hence the lack of a pre-release announcement. It only takes effect on new installs using SQLite. If you're using SQLite already on a shared host, you may want to check the file permissions of the database file, and stop them being readable by "everyone". More information can be found on the linked task, T322637." Of course, the bug still seems restricted: https://phabricator.wikimedia.org/T322637 In any case, please bump to 1.38.5, 1.39.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=192e988860df73eb8fd5f3f584c6c2738a673dde commit 192e988860df73eb8fd5f3f584c6c2738a673dde Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-12-23 08:56:59 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-12-23 08:57:10 +0000 www-apps/mediawiki: security bump to 1.38.5 & 1.39.1 Bug: https://bugs.gentoo.org/888041 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 2 + www-apps/mediawiki/mediawiki-1.38.5.ebuild | 86 ++++++++++++++++++++++++++++++ www-apps/mediawiki/mediawiki-1.39.1.ebuild | 86 ++++++++++++++++++++++++++++++ 3 files changed, 174 insertions(+)
Thanks! Please stabilize when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed3ef2f2544fd199e25bd9a08eb25f5910d4fcf1 commit ed3ef2f2544fd199e25bd9a08eb25f5910d4fcf1 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-12-26 07:54:43 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-12-26 07:56:06 +0000 www-apps/mediawiki: dropped obsolete & vulnerable 1.39.0 Bug: https://bugs.gentoo.org/888041 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.39.0.ebuild | 86 ------------------------------ 2 files changed, 87 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7701e36de89bd55fe5cc82f646618ddb1d7d7d74 commit 7701e36de89bd55fe5cc82f646618ddb1d7d7d74 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-12-26 16:28:01 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-12-26 16:28:13 +0000 www-apps/mediawiki: dropped obsolete & vulnerable 1.38.4 Bug: https://bugs.gentoo.org/888489 Bug: https://bugs.gentoo.org/888041 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.38.4.ebuild | 86 ------------------------------ 2 files changed, 87 deletions(-)
the tree is clean now, you can proceed
Thanks!
GLSA request filed. Still waiting on CVE, I think.
This is CVE-2022-47927.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1 commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-21 19:43:14 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-21 19:51:29 +0000 [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/815376 Bug: https://bugs.gentoo.org/829302 Bug: https://bugs.gentoo.org/836430 Bug: https://bugs.gentoo.org/855965 Bug: https://bugs.gentoo.org/873385 Bug: https://bugs.gentoo.org/888041 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+)
GLSA released, all done!