Updated mediawiki packages fix security vulnerability
Publication date: 26 Jul 2023Modification date: 26 Jul 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-29197 , CVE-2023-36674 , CVE-2023-36675
Description
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP.
Affected versions are subject to improper header parsing. An attacker
could sneak in a newline (\n) into both the header names and values.
While the specification states that \r\n\r\n is used to terminate the
header list, many servers in the wild will also accept \n\n
(CVE-2023-29197).
Manualthumb bypasses badFile lookup (CVE-2023-36674).
XSS in BlockLogFormatter due to unsafe message use (CVE-2023-36675).
References
- https://bugs.mageia.org/show_bug.cgi?id=32083
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36674
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36675
SRPMS
8/core
- mediawiki-1.35.11-1.mga8