CVE-2023-29197 (https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw): guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade. CVE-2023-36674 (https://phabricator.wikimedia.org/T335612): An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax. CVE-2023-36675 (https://phabricator.wikimedia.org/T332889): An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature. These are all fixed in 1.39.4. Including in this bug for tracking. A number of vulnerabilities have also been fixed in 1.39.5 and 1.40.1. From https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/BRWOWACCHMYRIS7JRTT6XD44X3362MVL/: * (T264765, CVE-2023-PENDING) SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission. * (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion. * (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS. * (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title. * (T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration). Not all vulnerabilities affect all release lines, see the above release announcement for details. Please stabilize 1.39.5/1.40.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=685a494536d37c47f4b8eade997d9dcb1b277016 commit 685a494536d37c47f4b8eade997d9dcb1b277016 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2023-10-30 08:10:37 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-10-30 08:10:37 +0000 www-apps/mediawiki: dropped obsolete 1.39.4-r1 & 1.40.0-r1 Bug: https://bugs.gentoo.org/916517 Bug: https://bugs.gentoo.org/916472 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-apps/mediawiki/Manifest | 2 - www-apps/mediawiki/mediawiki-1.39.4-r1.ebuild | 90 -------------------------- www-apps/mediawiki/mediawiki-1.40.0-r1.ebuild | 92 --------------------------- 3 files changed, 184 deletions(-)
the latest versions are stable now and the tree is clean now, you can proceed.
> * (T264765, CVE-2023-PENDING) SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission. This is CVE-2023-45364. > * (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion. CVE-2023-45363. > * (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS. > * (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title. These two are still private in upstream's phabricator. > * (T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. CVE-2023-45360. > * (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. CVE-2023-45362.