CVE-2022-31091 (https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699): Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. CVE-2022-31090 (https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r): Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl. Additionally, two issues without CVEs are mentioned in the advisory: * (T308471) Username is not escaped in the "welcomeuser" message. * (T308473) Username not escaped in the contributions-title message. Note that the CVEs in this bug are different from the CVEs in the advisory given Guzzle has gotten unique CVEs for itself in the meantime. Fixes are in MediaWiki 1.35.7, 1.37.3, 1.38.2, so please stabilize 1.37.3.
Thanks! Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c28af1c81f074b215f3240c6b813f340cc987857 commit c28af1c81f074b215f3240c6b813f340cc987857 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-07-03 03:15:55 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-07-03 03:15:55 +0000 www-apps/mediawiki: removed obsolete 1.37.2 Bug: https://bugs.gentoo.org/855995 Bug: https://bugs.gentoo.org/855965 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 1 - www-apps/mediawiki/mediawiki-1.37.2.ebuild | 86 ------------------------------ 2 files changed, 87 deletions(-)
the tree is clean now, you can proceed
Thanks!
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1 commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-21 19:43:14 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-21 19:51:29 +0000 [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/815376 Bug: https://bugs.gentoo.org/829302 Bug: https://bugs.gentoo.org/836430 Bug: https://bugs.gentoo.org/855965 Bug: https://bugs.gentoo.org/873385 Bug: https://bugs.gentoo.org/888041 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+)
GLSA released, all done!