855965 – (CVE-2022-31090, CVE-2022-31091, CVE-2022-34911, CVE-2022-34912) <www-apps/mediawiki-{1.37.3,1.38.2}: multiple vulnerabilities

Bug 855965 (CVE-2022-31090, CVE-2022-31091, CVE-2022-34911, CVE-2022-34912) - <www-apps/mediawiki-{1.37.3,1.38.2}: multiple vulnerabilities

Summary: <www-apps/mediawiki-{1.37.3,1.38.2}: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-31090, CVE-2022-31091, CVE-2022-34911, CVE-2022-34912

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://lists.wikimedia.org/hyperkitt...
Whiteboard:	B4 [glsa+]
Keywords:

Depends on:	855995
Blocks:
	Show dependency tree

Reported:	2022-07-02 17:08 UTC by John Helmert III
Modified:	2023-05-21 19:53 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-07-02 17:08:35 UTC

CVE-2022-31091 (https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699):

Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

CVE-2022-31090 (https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r):

Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.

Additionally, two issues without CVEs are mentioned in the advisory:

* (T308471) Username is not escaped in the "welcomeuser" message.
* (T308473) Username not escaped in the contributions-title message.

Note that the CVEs in this bug are different from the CVEs in the
advisory given Guzzle has gotten unique CVEs for itself in the
meantime.

Fixes are in MediaWiki 1.35.7, 1.37.3, 1.38.2, so please stabilize 1.37.3.

Comment 1 John Helmert III archtester

2022-07-02 22:38:40 UTC

Thanks! Please cleanup.

Comment 2 Larry the Git Cow gentoo-dev

2022-07-03 03:16:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c28af1c81f074b215f3240c6b813f340cc987857

commit c28af1c81f074b215f3240c6b813f340cc987857
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-07-03 03:15:55 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-07-03 03:15:55 +0000

    www-apps/mediawiki: removed obsolete 1.37.2
    
    Bug: https://bugs.gentoo.org/855995
    Bug: https://bugs.gentoo.org/855965
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.37.2.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)

Comment 3 Miroslav Šulc gentoo-dev

2022-07-03 03:17:02 UTC

the tree is clean now, you can proceed

Comment 4 John Helmert III archtester

2022-07-03 17:00:02 UTC

Thanks!

Comment 5 John Helmert III archtester

2022-12-26 20:39:21 UTC

GLSA request filed.

Comment 6 Larry the Git Cow gentoo-dev

2023-05-21 19:52:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1

commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:43:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:29 +0000

    [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/815376
    Bug: https://bugs.gentoo.org/829302
    Bug: https://bugs.gentoo.org/836430
    Bug: https://bugs.gentoo.org/855965
    Bug: https://bugs.gentoo.org/873385
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

Comment 7 John Helmert III archtester

2023-05-21 19:53:46 UTC

GLSA released, all done!