What Are You Looking For?

Popular Tags

Sign Up
MGASA-2023-0241 - Updated mediawiki packages fix security vulnerability

Publication date: 26 Jul 2023
URL: https://advisories.mageia.org/MGASA-2023-0241.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2023-29197,
     CVE-2023-36674,
     CVE-2023-36675

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP.
Affected versions are subject to improper header parsing. An attacker
could sneak in a newline (\n) into both the header names and values.
While the specification states that \r\n\r\n is used to terminate the
header list, many servers in the wild will also accept \n\n
(CVE-2023-29197).

Manualthumb bypasses badFile lookup (CVE-2023-36674).

XSS in BlockLogFormatter due to unsafe message use (CVE-2023-36675).

References:
- https://bugs.mageia.org/show_bug.cgi?id=32083
- https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36674
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36675

SRPMS:
- 8/core/mediawiki-1.35.11-1.mga8

Mageia 2023-0241: mediawiki security update

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP

Summary

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n (CVE-2023-29197).
Manualthumb bypasses badFile lookup (CVE-2023-36674).
XSS in BlockLogFormatter due to unsafe message use (CVE-2023-36675).

References

- https://bugs.mageia.org/show_bug.cgi?id=32083

- https://lists.wikimedia.org/hyperkitty/list/mediawiki-annou[email protected]/thread/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36674

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36675

Resolution

MGASA-2023-0241 - Updated mediawiki packages fix security vulnerability

SRPMS

- 8/core/mediawiki-1.35.11-1.mga8

Severity
Publication date: 26 Jul 2023
URL: https://advisories.mageia.org/MGASA-2023-0241.html
Type: security
CVE: CVE-2023-29197, CVE-2023-36674, CVE-2023-36675

Related News

Tails 5.9 Fixes Numerous Bugs and Enhances Security Measures

Jan 30, 2023

New Money Message Ransomware Attacks Both Windows & Linux Users

Apr 10, 2023

New TPM 2.0 Flaws Could Let Hackers Steal Cryptographic Keys

Mar 6, 2023

Important Fix for c-ares DoS Bug Released

Jun 22, 2023

News

Advisories

HOWTOs

Features

The Unseen Potential of Wake-on-LAN
Linux Vulnerabilities: The Antidote to This Linux Security Poison
Preventing Linux DDoS Attacks with Minimal Cybersecurity Knowledge
Navigating Software Scalability: A Practical Guide to Building Scalable Systems with Linux
Unlocking the Secrets of Linux Security: An Expert Analysis

About Us

Powered By

Footer Logo

Feedback