Advisories ยป MGASA-2023-0241

Updated mediawiki packages fix security vulnerability

Publication date: 26 Jul 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-29197 , CVE-2023-36674 , CVE-2023-36675

Description

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP.
Affected versions are subject to improper header parsing. An attacker
could sneak in a newline (\n) into both the header names and values.
While the specification states that \r\n\r\n is used to terminate the
header list, many servers in the wild will also accept \n\n
(CVE-2023-29197).

Manualthumb bypasses badFile lookup (CVE-2023-36674).

XSS in BlockLogFormatter due to unsafe message use (CVE-2023-36675).
                

References

SRPMS

8/core