CVE-2022-41929 The xwiki-platform-oldcore package is missing authorization, which may allow a user with only Script rights to enable or disable a user.
If upgrading from a version that was affected by this issue, you will likely experience issues with disabling or enabling users. XWiki server errors will likely be seen during upgrade, and disabling users may result in these users being left enabled. Upgrading to XWiki 14.5RC1 or later will resolve this issue. If you are still running XWiki 13.10.2 or earlier, upgrading to XWiki 13.10.7 or later will resolve this issue.
XWiki 13.10.7 and later have been patched to resolve a potential issue with xwiki.profile.uri not being set. If upgrading, you will likely see an error in your upgrade log when attempting to upgrade. If upgrading from XWiki 13.10.2 or earlier, you will likely see an error in your upgrade log when attempting to upgrade.
XWiki 14.5RC1 and later has been patched to resolve an issue that causes the error "Error setting write bit on file xwiki.profile.uri." when upgrading. Upgrading from XWiki 14.4.2 or earlier may result in this error. If upgrading from XWiki 14.4.2 or earlier, you will likely see an error in your upgrade log when attempting to upgrade.
XWiki 13.10.7 and later has been patched to resolve an issue that causes the error "Error setting file permissions on file xwiki.profile.uri." when upgrading. If upgrading from XWiki 13
The following table summarizes the products and versions that are no longer supported due to end of life of product.
The following table summarizes the products and versions that are no longer supported due to end of
life of product.
How to find the last version of your installation
To find the last version of your installation, you can use the following commands.
- Check for updates - sudo apache2ctl -V | grep XWiki or perl -MCPAN -e 'install WWW::XWiki'
- Check for updates and restart Apache - sudo apache2ctl -t && sudo systemctl restart httpd.service
Supported versions
XWiki 13.10.7 and later have been patched to resolve an issue that causes the error "Error setting file permissions on file xwiki.profile.uri." when upgrading. If upgrading from XWiki 13
XWiki 14.5RC1 and later has been patched to resolve an issue that causes the error "Error setting write bit on file xwiki.profile.uri." when upgrading. Upgrading from XWiki 14.4.2 or earlier may result in this error. If upgrading from XWiki 14.4.2 or earlier, you will likely see an error in your upgrade log when attempting to upgrade.
How to Upgrade XWiki
Upgrade to XWiki 14.5RC1 or later if you are on XWiki 13.10.2 or earlier and upgrading from a version that was affected by this issue (CVE-2022-41929). Upgrade to XWiki 14.5RC1 if you are on XWiki 13.10.7 or later and upgrading from a version that was not affected by this issue (not including the snapshot: xwiki-14042).
Upgrade to XWiki 14.4.2 if you are on XWiki 14.4 or earlier and upgrading from a version that was not affected by this issue (not including the snapshot: xwiki-14042).
Timeline
Published on: 11/23/2022 19:15:00 UTC
Last modified on: 11/30/2022 16:48:00 UTC