Bug 33156

Summary: mediawiki new security issues CVE-2023-3550, CVE-2023-45359, CVE-2023-4536[0-4] and CVE-2023-51704
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: mediawiki-1.35.11-1.mga9.src.rpm CVE: CVE-2023-3550, CVE-2023-45359, CVE-2023-45360, CVE-2023-45361, CVE-2023-45362, CVE-2023-45363, CVE-2023-45364, CVE-2023-51704
Status comment:

Description Nicolas Salguero 2024-04-29 16:57:03 CEST 
Debian has issued advisories:
https://lists.debian.org/debian-security-announce/2023/msg00213.html
https://lists.debian.org/debian-lts-announce/2024/04/msg00018.html

Those CVEs were fixed in version 1.35.14.

Mageia 9 is also affected.
Nicolas Salguero 2024-04-29 16:58:03 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-3550, CVE-2023-45359, CVE-2023-45360, CVE-2023-45361, CVE-2023-45362, CVE-2023-45363, CVE-2023-45364, CVE-2023-51704
Source RPM: (none) => mediawiki-1.35.11-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-04-29 17:25:07 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator. (CVE-2023-3550)

An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. (CVE-2023-45360)

An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak. (CVE-2023-45362)

An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. (CVE-2023-45363)

An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. Deleted revision existence is leaked due to incorrect permissions being checked. This reveals that a given revision ID belonged to the given page title, and its timestamp, both of which are not supposed to be public information. (CVE-2023-45364)

An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights. (CVE-2023-51704)

References:
https://lists.debian.org/debian-security-announce/2023/msg00213.html
https://lists.debian.org/debian-lts-announce/2024/04/msg00018.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.35.14-1.mga9
mediawiki-mysql-1.35.14-1.mga9
mediawiki-pgsql-1.35.14-1.mga9
mediawiki-sqlite-1.35.14-1.mga9

from SRPM:
mediawiki-1.35.14-1.mga9.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9

PC LX 2024-04-29 17:31:40 CEST

CC: (none) => mageia

katnatek 2024-04-29 18:32:08 CEST

Keywords: (none) => advisory

Comment 2 PC LX 2024-04-29 22:47:47 CEST 
Installed and tested without regressions.

The system used for testing is using php-fpm instead of mod_php so the issue in bug 27781 comment 6 is still present.
Also, the test used a SQLite database.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



# uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
# rpm -qa | grep mediawiki
mediawiki-sqlite-1.35.14-1.mga9
mediawiki-1.35.14-1.mga9
katnatek 2024-04-30 03:14:29 CEST

CC: (none) => andrewsfarm

Comment 3 katnatek 2024-04-30 03:15:21 CEST 
PC LX Test was enough in previous roud https://bugs.mageia.org/show_bug.cgi?id=32083

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-04-30 21:57:28 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-05-01 00:26:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0155.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED