Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202305-24

Gentoo Linux Security Advisory 202305-24 - Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. Versions greater than or equal to 1.25.2 are affected.

Packet Storm
#vulnerability#web#mac#linux#dos

Gentoo Linux Security Advisory GLSA 202305-24


                                       https://security.gentoo.org/  

Severity: Low
Title: MediaWiki: Multiple Vulnerabilities
Date: May 21, 2023
Bugs: #815376, #829302, #836430, #855965, #873385, #888041
ID: 202305-24


Synopsis

Multiple vulnerabilities have been found in MediaWiki, the worst of
which could result in denial of service.

Background

MediaWiki is a collaborative editing software, used by big projects like
Wikipedia.

Affected packages

Package Vulnerable Unaffected


www-apps/mediawiki < 1.25.2 >= 1.25.2

Description

Multiple vulnerabilities have been discovered in MediaWiki. Please
review the CVE identifiers referenced below for details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All MediaWiki users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=www-apps/mediawiki-1.38.5”

References

[ 1 ] CVE-2021-41798
https://nvd.nist.gov/vuln/detail/CVE-2021-41798
[ 2 ] CVE-2021-41799
https://nvd.nist.gov/vuln/detail/CVE-2021-41799
[ 3 ] CVE-2021-41800
https://nvd.nist.gov/vuln/detail/CVE-2021-41800
[ 4 ] CVE-2021-44854
https://nvd.nist.gov/vuln/detail/CVE-2021-44854
[ 5 ] CVE-2021-44855
https://nvd.nist.gov/vuln/detail/CVE-2021-44855
[ 6 ] CVE-2021-44856
https://nvd.nist.gov/vuln/detail/CVE-2021-44856
[ 7 ] CVE-2021-44857
https://nvd.nist.gov/vuln/detail/CVE-2021-44857
[ 8 ] CVE-2021-44858
https://nvd.nist.gov/vuln/detail/CVE-2021-44858
[ 9 ] CVE-2021-45038
https://nvd.nist.gov/vuln/detail/CVE-2021-45038
[ 10 ] CVE-2022-28202
https://nvd.nist.gov/vuln/detail/CVE-2022-28202
[ 11 ] CVE-2022-28205
https://nvd.nist.gov/vuln/detail/CVE-2022-28205
[ 12 ] CVE-2022-28206
https://nvd.nist.gov/vuln/detail/CVE-2022-28206
[ 13 ] CVE-2022-28209
https://nvd.nist.gov/vuln/detail/CVE-2022-28209
[ 14 ] CVE-2022-31090
https://nvd.nist.gov/vuln/detail/CVE-2022-31090
[ 15 ] CVE-2022-31091
https://nvd.nist.gov/vuln/detail/CVE-2022-31091
[ 16 ] CVE-2022-34911
https://nvd.nist.gov/vuln/detail/CVE-2022-34911
[ 17 ] CVE-2022-34912
https://nvd.nist.gov/vuln/detail/CVE-2022-34912
[ 18 ] CVE-2022-41765
https://nvd.nist.gov/vuln/detail/CVE-2022-41765
[ 19 ] CVE-2022-41766
https://nvd.nist.gov/vuln/detail/CVE-2022-41766
[ 20 ] CVE-2022-41767
https://nvd.nist.gov/vuln/detail/CVE-2022-41767
[ 21 ] CVE-2022-47927
https://nvd.nist.gov/vuln/detail/CVE-2022-47927

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202305-24

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed).

CVE-2022-47927: Security and maintenance release: 1.35.9 / 1.38.5 / 1.39.1 - MediaWiki-announce

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data.

CVE-2021-44856: ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of the EditFilterMergedContent hook return value.

CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup.

CVE-2022-41765: HTMLUserTextField exposes existence of hidden users

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users.

CVE-2021-44855: Blind Stored XSS via Upload Image via URL

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.

CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.

CVE-2022-34911: Username is not escaped in the "welcomeuser" message

An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text().

CVE-2022-34912: Username not escaped in the contributions-title message

An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.

CVE-2022-31091: Release 7.4.5 (#3043) · guzzle/guzzle@1dd98b0

Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects ...

GHSA-q559-8m2m-g699: Change in port should be considered a change in origin

### Impact `Authorization` and `Cookie` headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme downgrade. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) * [CVE-2022-27776](http...

GHSA-25mq-v84q-4j7r: CURLOPT_HTTPAUTH option not cleared on change of origin

### Impact `Authorization` headers on requests are sensitive information. When using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` and `CURLOPT_USERPWD` options before continuing, stopping curl from appending the `Authorization` header to the new request. Previously, we would only consider a change in host. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. ...

CVE-2022-28209: ⚓ T304126 One of the checks for 'override-antispoof' permission is inverted (CVE-2022-28209)

An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.

CVE-2022-28206: ⚓ T294256 FileImporter allows imports to cascade protected files when the importer does not have administrator permissions (CVE-2022-28206)

An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.

CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution