33156 – mediawiki new security issues CVE-2023-3550, CVE-2023-45359, CVE-2023-4536[0-4] and CVE-2023-51704

Bug 33156 - mediawiki new security issues CVE-2023-3550, CVE-2023-45359, CVE-2023-4536[0-4] and CVE-2023-51704

Summary: mediawiki new security issues CVE-2023-3550, CVE-2023-45359, CVE-2023-4536[0-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-04-29 16:57 CEST by Nicolas Salguero
Modified:	2024-05-01 00:26 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	mediawiki-1.35.11-1.mga9.src.rpm
CVE:	CVE-2023-3550, CVE-2023-45359, CVE-2023-45360, CVE-2023-45361, CVE-2023-45362, CVE-2023-45363, CVE-2023-45364, CVE-2023-51704
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-29 16:57:03 CEST

Debian has issued advisories:
https://lists.debian.org/debian-security-announce/2023/msg00213.html
https://lists.debian.org/debian-lts-announce/2024/04/msg00018.html

Those CVEs were fixed in version 1.35.14.

Mageia 9 is also affected.

Nicolas Salguero 2024-04-29 16:58:03 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-3550, CVE-2023-45359, CVE-2023-45360, CVE-2023-45361, CVE-2023-45362, CVE-2023-45363, CVE-2023-45364, CVE-2023-51704
Source RPM: (none) => mediawiki-1.35.11-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-04-29 17:25:07 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator. (CVE-2023-3550)

An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. (CVE-2023-45360)

An issue was discovered in DifferenceEngine.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. diff-multi-sameuser (aka "X intermediate revisions by the same user not shown") ignores username suppression. This is an information leak. (CVE-2023-45362)

An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. (CVE-2023-45363)

An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. Deleted revision existence is leaked due to incorrect permissions being checked. This reveals that a given revision ID belonged to the given page title, and its timestamp, both of which are not supposed to be public information. (CVE-2023-45364)

An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights. (CVE-2023-51704)

References:
https://lists.debian.org/debian-security-announce/2023/msg00213.html
https://lists.debian.org/debian-lts-announce/2024/04/msg00018.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.35.14-1.mga9
mediawiki-mysql-1.35.14-1.mga9
mediawiki-pgsql-1.35.14-1.mga9
mediawiki-sqlite-1.35.14-1.mga9

from SRPM:
mediawiki-1.35.14-1.mga9.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9

PC LX 2024-04-29 17:31:40 CEST

CC: (none) => mageia

katnatek 2024-04-29 18:32:08 CEST

Keywords: (none) => advisory

Comment 2 PC LX 2024-04-29 22:47:47 CEST

Installed and tested without regressions.

The system used for testing is using php-fpm instead of mod_php so the issue in bug 27781 comment 6 is still present.
Also, the test used a SQLite database.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



# uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
# rpm -qa | grep mediawiki
mediawiki-sqlite-1.35.14-1.mga9
mediawiki-1.35.14-1.mga9

katnatek 2024-04-30 03:14:29 CEST

CC: (none) => andrewsfarm

Comment 3 katnatek 2024-04-30 03:15:21 CEST

PC LX Test was enough in previous roud https://bugs.mageia.org/show_bug.cgi?id=32083

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-04-30 21:57:28 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-05-01 00:26:01 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0155.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.