Mageia alert MGASA-2023-0241 (mediawiki)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org>
To:
             
 
updates-announce@ml.mageia.org
Subject:
             
 
[updates-announce] MGASA-2023-0241: Updated mediawiki packages fix security vulnerability
Date:
             
 
Thu, 27 Jul 2023 00:08:51 +0200
Message-ID:
             
 
<20230726220851.C418FA0039@duvel.mageia.org>
Archive-link:
             
 
Article
MGASA-2023-0241 - Updated mediawiki packages fix security vulnerability

Publication date: 26 Jul 2023
URL: https://advisories.mageia.org/MGASA-2023-0241.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2023-29197,
     CVE-2023-36674,
     CVE-2023-36675

Description:
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP.
Affected versions are subject to improper header parsing. An attacker
could sneak in a newline (\n) into both the header names and values.
While the specification states that \r\n\r\n is used to terminate the
header list, many servers in the wild will also accept \n\n
(CVE-2023-29197).

Manualthumb bypasses badFile lookup (CVE-2023-36674).

XSS in BlockLogFormatter due to unsafe message use (CVE-2023-36675).

References:
- https://bugs.mageia.org/show_bug.cgi?id=32083
-
https://lists.wikimedia.org/hyperkitty/list/mediawiki-ann...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3...

SRPMS:
- 8/core/mediawiki-1.35.11-1.mga8