Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 855965 (CVE-2022-31090, CVE-2022-31091, CVE-2022-34911, CVE-2022-34912) - <www-apps/mediawiki-{1.37.3,1.38.2}: multiple vulnerabilities
Summary: <www-apps/mediawiki-{1.37.3,1.38.2}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-31090, CVE-2022-31091, CVE-2022-34911, CVE-2022-34912
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.wikimedia.org/hyperkitt...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 855995
Blocks:
  Show dependency tree
 
Reported: 2022-07-02 17:08 UTC by John Helmert III
Modified: 2022-12-26 20:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-02 17:08:35 UTC
CVE-2022-31091 (https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699):

Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

CVE-2022-31090 (https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r):

Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.

Additionally, two issues without CVEs are mentioned in the advisory:

* (T308471) Username is not escaped in the "welcomeuser" message.
* (T308473) Username not escaped in the contributions-title message.

Note that the CVEs in this bug are different from the CVEs in the
advisory given Guzzle has gotten unique CVEs for itself in the
meantime.

Fixes are in MediaWiki 1.35.7, 1.37.3, 1.38.2, so please stabilize 1.37.3.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-02 22:38:40 UTC
Thanks! Please cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2022-07-03 03:16:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c28af1c81f074b215f3240c6b813f340cc987857

commit c28af1c81f074b215f3240c6b813f340cc987857
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-07-03 03:15:55 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-07-03 03:15:55 +0000

    www-apps/mediawiki: removed obsolete 1.37.2
    
    Bug: https://bugs.gentoo.org/855995
    Bug: https://bugs.gentoo.org/855965
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.37.2.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 3 Miroslav Šulc gentoo-dev 2022-07-03 03:17:02 UTC
the tree is clean now, you can proceed
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-03 17:00:02 UTC
Thanks!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-26 20:39:21 UTC
GLSA request filed.