What Are You Looking For?

Sign Up
MGASA-2022-0145 - Updated mediawiki packages fix security vulnerability

Publication date: 18 Apr 2022
URL: https://advisories.mageia.org/MGASA-2022-0145.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-28201,
     CVE-2022-28202,
     CVE-2022-28203,
     CVE-2022-28204

Title::newMainPage() goes into an infinite recursion loop if it points to a
local interwiki (CVE-2022-28201).

Messages widthheight/widthheightpage/nbytes not escaped when used in galleries
or Special:RevisionDelete (CVE-2022-28202).

Requesting Special:NewFiles on a wiki with many file uploads with actor as a
condition can result in a DoS (CVE-2022-28203).

Special:WhatLinksHere can result in a DoS when a page is used on a extremely
large number of other pages (CVE-2022-28204).

References:
- https://bugs.mageia.org/show_bug.cgi?id=30231
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28201
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28202
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28203
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28204

SRPMS:
- 8/core/mediawiki-1.35.6-1.mga8

Mageia 2022-0145: mediawiki security update

Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki (CVE-2022-28201)

Summary

Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki (CVE-2022-28201).
Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete (CVE-2022-28202).
Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS (CVE-2022-28203).
Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages (CVE-2022-28204).

References

- https://bugs.mageia.org/show_bug.cgi?id=30231

- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28201

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28202

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28203

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28204

Resolution

MGASA-2022-0145 - Updated mediawiki packages fix security vulnerability

SRPMS

- 8/core/mediawiki-1.35.6-1.mga8

Severity
Publication date: 18 Apr 2022
URL: https://advisories.mageia.org/MGASA-2022-0145.html
Type: security
CVE: CVE-2022-28201, CVE-2022-28202, CVE-2022-28203, CVE-2022-28204

Related News

US Dismantles IPStorm Botnet Proxy Service

Nov 15, 2023

Severe Chromium Bug Threatens Sensitive Data, System Availability

Nov 13, 2023

Severe Poppler DoS Flaw Fixed

Oct 25, 2023

Severe Chromium DoS, Info Disclosure Vulns Fixed

Oct 25, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo