[SECURITY] Fedora 28 Update: mediawiki-1.29.3-1.fc28

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2018-e022ecbc52 2018-10-07 22:15:04.448869 -------------------------------------------------------------------------------- Name : mediawiki Product : Fedora 28 Version : 1.29.3 Release : 1.fc28 URL : http://www.mediawiki.org/ Summary : A wiki engine Description : MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki/README.RPM. Remember to remove the config dir after completing the configuration. -------------------------------------------------------------------------------- Update Information: https://www.mediawiki.org/wiki/Release_notes/1.29#MediaWiki_1.29.3 - (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides 'newbie'. - (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock. - (T180551) Fix LanguageSrTest for language converter - (T180552) Fix langauge converter parser test with self-close tags - (T180537) Remove $wgAuth usage from wrapOldPasswords.php - (T180485) InputBox: Have inputbox langconvert certain attributes - (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3. - (T172927) Drop vendor from MW release branch - (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array - Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency). - (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass --with- extensions to enable that feature. - (T182381) Mask deprecated call in WatchedItemUnitTest - (T190503) Let built-in web server (maintenance/dev) handle .php requests. - The karma qunit tests would fail on some configuration due to headers already sent. Check headers_sent() before sending cpPosTime headers - (T167507) selenium: Run Chrome headlessly. - selenium: Pass -no-sandbox to Chrome under Docker - (T191247) Use MediaWiki\SuppressWarnings around trigger_error() instead @ - (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel fails under SQLite. - (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds(). - (T179190) selenium: Move test running logic from package.json to selenium.sh. - (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48. - Add default edit rate limit of 90 edits/minute for all users. - (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. - (T196672) The mtime of extension.json files is now able to be zero - (T180403) Validate $length in padleft/padright parser functions. - (T143790) Make $wgEmailConfirmToEdit only affect edit actions. - (T194237) Special:BotPasswords now requires reauthentication. - (T191608, T187638) Add 'logid' parameter to Special:Log. - (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case - (T193829) Indicate when a Bot Password needs reset. - (T151415) Log email changes. - (T118420) Unbreak Oracle installer. -------------------------------------------------------------------------------- ChangeLog: * Fri Sep 28 2018 Michael Cronenworth <mike(a)cchtml.com&gt; - 1.29.3-1 - Update to 1.29.3 - https://www.mediawiki.org/wiki/Release_notes/1.29#MediaWiki_1.29.3 * Fri Jul 13 2018 Fedora Release Engineering <releng(a)fedoraproject.org&gt; - 1.29.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Thu Feb 8 2018 Fedora Release Engineering <releng(a)fedoraproject.org&gt; - 1.29.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1634170 - CVE-2018-0504 mediawiki: Information exposure when a log event is (partially) hidden [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1634170 [ 2 ] Bug #1634167 - CVE-2018-0505 mediawiki: BotPassword can bypass CentralAuth's account lock [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1634167 [ 3 ] Bug #1634162 - CVE-2018-0503 mediawiki: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1634162 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-e022ecbc52' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------