Mageia 8 MGASA-2023-0241 Critical: MediaWiki Header Issues and XSS
mageia
July 26, 2023
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP
Summary
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP.
Affected versions are subject to improper header parsing. An attacker
could sneak in a newline (\n) into both the header names and values.
While the specification states that \r\n\r\n is used to terminate the
header list, many servers in the wild will also accept \n\n
(CVE-2023-29197).
Manualthumb bypasses badFile lookup (CVE-2023-36674).
XSS in BlockLogFormatter due to unsafe message use (CVE-2023-36675).
References
- https://bugs.mageia.org/show_bug.cgi?id=32083
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/
- https://www.cve.org/CVERecord?id=CVE-2023-29197
- https://www.cve.org/CVERecord?id=CVE-2023-36674
- https://www.cve.org/CVERecord?id=CVE-2023-36675
Topics Covered
Resolution
SRPMS
- 8/core/mediawiki-1.35.11-1.mga8
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 26 Jul 2023
URL: https://advisories.mageia.org/MGASA-2023-0241.html
Type: security
CVE: CVE-2023-29197,
CVE-2023-36674,
CVE-2023-36675
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!