-
mediawiki (1:1.15.5-2squeeze6) oldstable-security; urgency=low
* CVE-2013-4302: apply patch from upstream to prevent
access to anti-CSRF tokens via JSONP
-- Jonathan Wiltshire <email address hidden> Sun, 08 Sep 2013 19:53:58 +0100
-
mediawiki (1:1.15.5-2squeeze5) stable; urgency=low
[ Dominik George ]
* Security fixes from upstream (Closes: #694998):
- CVE-2012-5391 - Prevent session fixation in Special:UserLogin
- Prevent linker regex from exceeding backtrack limit
-- Jonathan Wiltshire <email address hidden> Sun, 16 Dec 2012 17:53:38 +0000
-
mediawiki (1:1.15.5-2squeeze4) stable; urgency=low
* Disable CVE-2011-4360.patch, it causes ugly error messages in certain
situations. The CVE does not apply to this release.
-- Jonathan Wiltshire <email address hidden> Sat, 21 Jan 2012 20:59:36 +0000
-
mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
* CVE-2011-0047: Protect against a CSS injection vulnerability (closes: #611787) -- Jonathan Wiltshire <email address hidden> Sun, 06 Feb 2011 13:45:39 +0000
-
mediawiki (1:1.15.5-2) testing-security; urgency=high
* CVE-2011-0003: Protect against clickjacking by sending the X-Frame-Options header in all pages (except normal page views and a few selected special pages). Patch as released by upstream -- Jonathan Wiltshire <email address hidden> Tue, 04 Jan 2011 22:39:26 +0000
-
mediawiki (1:1.15.5-1) unstable; urgency=high
[ Thorsten Glaser ]
* debian/patches/suppress_warnings.patch: new, suppress warnings
about session_start() being called twice also in the PHP error
log, not just MediaWiki’s, for example run from FusionForge
[ Jonathan Wiltshire ]
* New upstream security release:
- correctly set caching headers to prevent private data leakage
(closes: #590660, LP: #610782)
- fix XSS vulnerability in profileinfo.php
(closes: #590669, LP: #610819)
-- Jonathan Wiltshire <email address hidden> Wed, 28 Jul 2010 12:23:04 +0100
-
mediawiki (1:1.15.4-2) unstable; urgency=low
[ Thorsten Glaser ]
* debian/control: add Vcs-SVN and Vcs-Browser
[ Jonathan Wiltshire ]
* debian/source/format: Switch to source format 3.0 (quilt)
* debian/rules: Drop CDBS quilt logic
* debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
remove the original definition (LP: #406358)
* debian/README.source: document use of quilt and format 3.0 (quilt)
* New patch backup_documentation.patch improves documentation of
maintenance/dumpBackup.php (closes: #572355)
* Standards version 3.9.0 (no changes)
-- Jonathan Wiltshire <email address hidden> Tue, 29 Jun 2010 14:20:35 +0100
-
mediawiki (1:1.15.4-1) unstable; urgency=high
[ Jonathan Wiltshire ]
* New upstream security release (closes: #585918).
* CVE-2010-1647:
Fix a cross-site scripting (XSS) vulnerability which allows
remote attackers to inject arbitrary web script or HTML via crafted
Cascading Style Sheets (CSS) strings that are processed as script by
Internet Explorer.
* CVE-2010-1648:
Fix a cross-site request forgery (CSRF) vulnerability in the login interface
which allows remote attackers to hijack the authentication of users for
requests that (1) create accounts or (2) reset passwords, related to the
Special:Userlogin form.
[ Romain Beauxis ]
* Put debian's package version in declared version.
Should help sysadmins to keep track of installed
versions, in particular with regard to security
updates.
* Added Jonathan Wiltshire to uploaders.
* Do not clan math dir if it does not exist (for instance
when running clean from SVN).
-- Romain Beauxis <email address hidden> Mon, 21 Jun 2010 23:41:29 +0200
-
mediawiki (1:1.15.3-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password."
-- Romain Beauxis <email address hidden> Fri, 16 Apr 2010 14:44:09 -0500
-
mediawiki (1:1.15.2-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected."
* Updated standards.
* Removed section about upgrading from mediawiki1.x packages
in README.Debian since they do not exist in any supported distribution
anymore.
* Switched php5-gd and imagemagick in Suggests. Closes: #542008
* Backported patch from revision 51083 to fix a bug with invalid titles.
Closes: #537134
* Backported patch from revision 61090 to add a unique guid per RSS
feed element.
Closes: #383130
* Refreshed patches.
-- Romain Beauxis <email address hidden> Mon, 15 Mar 2010 11:41:07 -0500
-
mediawiki (1:1.15.1-1) unstable; urgency=low
* New upstream release.
* Ack previous NMU, thanks to Nico Golde for taking care
of this.
-- Romain Beauxis <email address hidden> Sun, 09 Aug 2009 10:46:41 -0500
-
mediawiki (1:1.15.0-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cross-site scripting in [[Special:Block]]
(No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
-- Nico Golde <email address hidden> Sun, 26 Jul 2009 18:11:07 +0200
-
mediawiki (1:1.15.0-1) unstable; urgency=low
* New upstream release.
* Upstream added support for OASIS documents.
Closes: #530328
* Refreshed quilt patches
* Bumped standards versions to 3.8.2
* Bumped compat to 7
* Pointed to GPL-2 in debian/copyright
* Added php5-sqlite to possible DB backend dependencies.
Closes: #501569
* Proofread README.Debian, upgrade is documented there.
Closes: #520121
-- Romain Beauxis <email address hidden> Fri, 19 Jun 2009 01:38:50 +0200
-
mediawiki (1:1.14.0-1) unstable; urgency=low
* New upstream release.
* Fixed issues in the installer:
"A number of cross-site scripting (XSS) security vulnerabilities were
discovered in the web-based installer (config/index.php).
These vulnerabilities all require a live installer once the installer
has been used to install a wiki, it is deactivated.
Note that cross-site scripting vulnerabilities can be used to attack
any website in the same cookie domain. So if you have an uninstalled
copy of MediaWiki on the same site as an active web service, MediaWiki
could be used to attack the active service."
Closes: #514547
* Fixed typo in README.Debian
Closes: #515192
* Updated japanese debconf translation, thanks to Hideki Yamane
Closes: #510896
* Added a file in debian/copyright
-- Romain Beauxis <email address hidden> Fri, 06 Mar 2009 20:29:17 +0100
-
mediawiki (1:1.13.3-1) unstable; urgency=low
* New upstream release.
* Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
"An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2."
Closes: #508868
* Fix CVE-2008-5250: several local script injection vulnerabilities
in MediaWiki:
"o A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
o A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled."
Closes: #508869
* Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
feature in MediaWiki:
"A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0."
Closes: #508870
-- Romain Beauxis <email address hidden> Thu, 18 Dec 2008 02:37:58 +0100