Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:alpm/archlinux/mediawiki@1.38.2-1
purl pkg:alpm/archlinux/mediawiki@1.38.2-1
Next non-vulnerable version 1.38.3-1
Latest non-vulnerable version 1.38.3-1
Risk 4.0
Vulnerabilities affecting this package (14)
Vulnerability Summary Fixed by
VCID-674z-nf4t-b7ez
Aliases:
CVE-2022-29248
GHSA-cwmx-hcrq-mhc3
Cross-domain cookie leakage in Guzzle ### Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account. Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `['cookies' => true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3. ### Workarounds If you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off. ### References * [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-92hf-r3sb-jbhy
Aliases:
CVE-2021-44855
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-9346-9aaj-fkfw
Aliases:
CVE-2022-41765
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-9exs-x5s1-4bhg
Aliases:
CVE-2022-31042
GHSA-f2wf-25xc-69c9
Failure to strip the Cookie header on change in host or HTTP downgrade ### Impact `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-9xyz-wzr8-wqhz
Aliases:
CVE-2022-31090
GHSA-25mq-v84q-4j7r
GMS-2022-2528
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-nwsr-ruca-2kha
Aliases:
CVE-2022-31043
GHSA-w248-ffj2-4v5q
Fix failure to strip Authorization header on HTTP downgrade ### Impact `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. ### References * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-pw9d-1cwb-tyb9
Aliases:
CVE-2022-28201
security update
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-qjhk-97j6-2qfm
Aliases:
CVE-2021-44854
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-qqvd-cjs3-7kab
Aliases:
CVE-2022-34912
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-qwcp-5hh8-z3gp
Aliases:
CVE-2022-41767
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-rz65-w7x5-57hu
Aliases:
CVE-2022-34911
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-sca5-n7rz-rffq
Aliases:
CVE-2021-44856
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-wzqf-k99e-vbeu
Aliases:
CVE-2022-31091
GHSA-q559-8m2m-g699
GMS-2022-2529
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service.
1.38.3-1
Affected by 0 other vulnerabilities.
VCID-yakw-r8bh-5bde
Aliases:
CVE-2022-28203
security update
1.38.3-1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T18:24:08.609383+00:00 Arch Linux Importer Affected by VCID-qjhk-97j6-2qfm https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.587252+00:00 Arch Linux Importer Affected by VCID-92hf-r3sb-jbhy https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.563716+00:00 Arch Linux Importer Affected by VCID-sca5-n7rz-rffq https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.541035+00:00 Arch Linux Importer Affected by VCID-pw9d-1cwb-tyb9 https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.520461+00:00 Arch Linux Importer Affected by VCID-yakw-r8bh-5bde https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.498398+00:00 Arch Linux Importer Affected by VCID-674z-nf4t-b7ez https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.477688+00:00 Arch Linux Importer Affected by VCID-9exs-x5s1-4bhg https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.454656+00:00 Arch Linux Importer Affected by VCID-nwsr-ruca-2kha https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.432538+00:00 Arch Linux Importer Affected by VCID-9xyz-wzr8-wqhz https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.410368+00:00 Arch Linux Importer Affected by VCID-wzqf-k99e-vbeu https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.388753+00:00 Arch Linux Importer Affected by VCID-rz65-w7x5-57hu https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.366251+00:00 Arch Linux Importer Affected by VCID-qqvd-cjs3-7kab https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.343006+00:00 Arch Linux Importer Affected by VCID-9346-9aaj-fkfw https://security.archlinux.org/AVG-2823 38.0.0
2026-04-01T18:24:08.319135+00:00 Arch Linux Importer Affected by VCID-qwcp-5hh8-z3gp https://security.archlinux.org/AVG-2823 38.0.0