What Are You Looking For?

Popular Tags

Sign Up
MGASA-2023-0204 - Updated mediawiki packages fix security vulnerability

Publication date: 28 Jun 2023
URL: https://advisories.mageia.org/MGASA-2023-0204.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2020-36649,
     CVE-2022-47927,
     CVE-2023-22909,
     CVE-2023-2291,
     CVE-2023-29141

Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649).

An issue was discovered in MediaWiki before 1.35.9. When installing with a
pre-existing data directory that has weak permissions, the SQLite files
are created with file mode 0644, i.e., world readable to local users.
These files include credentials data (CVE-2022-47927).

An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory
allows remote attackers to cause a denial of service because database
queries are slow (CVE-2023-22909).

An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget
replacement in HTML attributes, which can lead to XSS, because widget
authors often do not expect that their widget is executed in an HTML
attribute context (CVE-2023-22911).

An issue was discovered in MediaWiki before 1.35.10. An auto-block can
occur for an untrusted X-Forwarded-For header (CVE-2023-29141).

OATHAuth allows replay attacks when MediaWiki is configured without
ObjectCache; Insecure Default Configuration (T330086).

References:
- https://bugs.mageia.org/show_bug.cgi?id=31463
- https://lists.wikimedia.org/hyperkitty/list/[email protected]/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/
- https://lists.wikimedia.org/hyperkitty/list/[email protected]/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36649
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47927
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2291
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29141

SRPMS:
- 8/core/mediawiki-1.35.10-1.mga8

Mageia 2023-0204: mediawiki security update

Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649)

Summary

Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649).
An issue was discovered in MediaWiki before 1.35.9. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data (CVE-2022-47927).
An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow (CVE-2023-22909).
An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context (CVE-2023-22911).
An issue was discovered in MediaWiki before 1.35.10. An auto-block can occur for an untrusted X-Forwarded-For header (CVE-2023-29141).
OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure Default Configuration (T330086).

References

- https://bugs.mageia.org/show_bug.cgi?id=31463

- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announ[email protected]/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/

- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announ[email protected]/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/

- https://lists.fedoraproject.org/archives/list/[email protected]/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/

- https://lists.fedoraproject.org/archives/list/[email protected]/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36649

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47927

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2291

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29141

Resolution

MGASA-2023-0204 - Updated mediawiki packages fix security vulnerability

SRPMS

- 8/core/mediawiki-1.35.10-1.mga8

Severity
Publication date: 28 Jun 2023
URL: https://advisories.mageia.org/MGASA-2023-0204.html
Type: security
CVE: CVE-2020-36649, CVE-2022-47927, CVE-2023-22909, CVE-2023-2291, CVE-2023-29141

Related News

APT36 Using Customized Malware to Attack Indian Government Linux and Windows Servers

Sep 16, 2023

There's Now a Linux Version of This Dangerous VMware Ransomware

Jun 30, 2023

‘Worm-like’ Botnet Malware Targeting Popular Redis Storage Tool

Aug 1, 2023

Linux Creator Expresses “Frustration” Towards AMD’s fTPM Bugs, Calls To Disable Feature

Aug 1, 2023

News

Advisories

HOWTOs

Features

Guide To Tackling Network Programming Assignments On Linux
Guide To Software Security Testing On Linux
Everything You Need to Know About Linux Proxy Servers
Simple Steps for Identifying & Troubleshooting a Kernel Panic
Linux Endpoint Detection and Response (EDR): A Crucial Part of a Successful Cybersecurity Strategy

About Us

Powered By

Footer Logo

Feedback