Updated mediawiki packages fix security vulnerability
Publication date: 18 Apr 2022Modification date: 18 Apr 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-28201 , CVE-2022-28202 , CVE-2022-28203 , CVE-2022-28204
Description
Title::newMainPage() goes into an infinite recursion loop if it points to a
local interwiki (CVE-2022-28201).
Messages widthheight/widthheightpage/nbytes not escaped when used in galleries
or Special:RevisionDelete (CVE-2022-28202).
Requesting Special:NewFiles on a wiki with many file uploads with actor as a
condition can result in a DoS (CVE-2022-28203).
Special:WhatLinksHere can result in a DoS when a page is used on a extremely
large number of other pages (CVE-2022-28204).
References
- https://bugs.mageia.org/show_bug.cgi?id=30231
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28201
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28202
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28203
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28204
SRPMS
8/core
- mediawiki-1.35.6-1.mga8