| Summary: | mediawiki new security issues fixed upstream in 1.35.7 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | mediawiki-1.35.6-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-09-09 19:55:54 CEST
Fedora has issued an advisory for this on September 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/ There's a CVE for the issue that didn't have one in the initial announcement. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: An issue was discovered in MediaWiki before 1.35.7. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text() (CVE-2022-34911). Bundled guzzlehttp/guzzle has been updated to 6.5.8, fixing several issues (CVE-2022-29248, CVE-2022-31042, CVE-2022-31043, CVE-2022-31090, CVE-2022-31091). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34911 https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3 https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/ MGA8-64 Plasma on Acer Aspire 5253 No installation issues. Made sure mysqld and httpd are running, then follow wiki deleting previous test wiki and files in /var/www and /etc. Then install the updates and run the setup as per wiki. Make first new page as per bug 25986. All works OK. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 1. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-09-16 20:11:59 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0338.html Resolution:
(none) =>
FIXED |