diff -Nru mediawiki-1.19.17+dfsg/debian/changelog mediawiki-1.19.18+dfsg/debian/changelog
--- mediawiki-1.19.17+dfsg/debian/changelog	2014-06-26 07:57:08.000000000 +0000
+++ mediawiki-1.19.18+dfsg/debian/changelog	2014-08-24 04:52:14.000000000 +0000
@@ -1,3 +1,14 @@
+mediawiki (1:1.19.18+dfsg-0.1) unstable; urgency=high
+
+  * Non-maintainer upload with maintainers approval.
+  * Imported Upstream version 1.19.18+dfsg
+    (Closes: #758510)
+    - CVE-2014-5241 (bug 68187) SECURITY: Prepend jsonp callback with comment.
+    - CVE-2014-5243 (bug 65778) SECURITY: Copy prevent-clickjacking between
+      OutputPage and ParserOutput.
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 24 Aug 2014 06:47:35 +0200
+
 mediawiki (1:1.19.17+dfsg-1) unstable; urgency=medium
 
   * New upstream security and maintenance release:
diff -Nru mediawiki-1.19.17+dfsg/includes/api/ApiFormatJson.php mediawiki-1.19.18+dfsg/includes/api/ApiFormatJson.php
--- mediawiki-1.19.17+dfsg/includes/api/ApiFormatJson.php	2014-06-25 21:11:49.000000000 +0000
+++ mediawiki-1.19.18+dfsg/includes/api/ApiFormatJson.php	2014-07-30 19:26:17.000000000 +0000
@@ -62,6 +62,9 @@
 		$callback = $params['callback'];
 		if ( !is_null( $callback ) ) {
 			$prefix = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback ) . '(';
+			# Prepend a comment to try to avoid attacks against content
+			# sniffers, such as bug 68187.
+			$prefix = ( "/**/$prefix" );
 			$suffix = ')';
 		}
 		$this->printText(
diff -Nru mediawiki-1.19.17+dfsg/includes/DefaultSettings.php mediawiki-1.19.18+dfsg/includes/DefaultSettings.php
--- mediawiki-1.19.17+dfsg/includes/DefaultSettings.php	2014-06-25 21:11:49.000000000 +0000
+++ mediawiki-1.19.18+dfsg/includes/DefaultSettings.php	2014-07-30 19:26:17.000000000 +0000
@@ -33,7 +33,7 @@
 /** @endcond */
 
 /** MediaWiki version number */
-$wgVersion = '1.19.17';
+$wgVersion = '1.19.18';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename = 'MediaWiki';
diff -Nru mediawiki-1.19.17+dfsg/includes/OutputPage.php mediawiki-1.19.18+dfsg/includes/OutputPage.php
--- mediawiki-1.19.17+dfsg/includes/OutputPage.php	2014-06-25 21:11:49.000000000 +0000
+++ mediawiki-1.19.18+dfsg/includes/OutputPage.php	2014-07-30 19:26:17.000000000 +0000
@@ -1504,6 +1504,8 @@
 		$this->addModuleScripts( $parserOutput->getModuleScripts() );
 		$this->addModuleStyles( $parserOutput->getModuleStyles() );
 		$this->addModuleMessages( $parserOutput->getModuleMessages() );
+		$this->mPreventClickjacking = $this->mPreventClickjacking
+			|| $parserOutput->preventClickjacking();
 
 		// Template versioning...
 		foreach ( (array)$parserOutput->getTemplateIds() as $ns => $dbks ) {
@@ -1802,6 +1804,16 @@
 	}
 
 	/**
+	 * Get the prevent-clickjacking flag
+	 *
+	 * @since 1.24
+	 * @return boolean
+	 */
+	public function getPreventClickjacking() {
+		return $this->mPreventClickjacking;
+	}
+
+	/**
 	 * Get the X-Frame-Options header value (without the name part), or false
 	 * if there isn't one. This is used by Skin to determine whether to enable
 	 * JavaScript frame-breaking, for clients that don't support X-Frame-Options.
diff -Nru mediawiki-1.19.17+dfsg/includes/parser/ParserOutput.php mediawiki-1.19.18+dfsg/includes/parser/ParserOutput.php
--- mediawiki-1.19.17+dfsg/includes/parser/ParserOutput.php	2014-06-25 21:11:49.000000000 +0000
+++ mediawiki-1.19.18+dfsg/includes/parser/ParserOutput.php	2014-07-30 19:26:18.000000000 +0000
@@ -142,6 +142,7 @@
 		$mTimestamp;                  # Timestamp of the revision
 	private $mIndexPolicy = '';       # 'index' or 'noindex'?  Any other value will result in no change.
 	private $mAccessedOptions = array(); # List of ParserOptions (stored in the keys)
+	private $mPreventClickjacking = false; # Whether to emit X-Frame-Options: DENY
 
 	const EDITSECTION_REGEX = '#<(?:mw:)?editsection page="(.*?)" section="(.*?)"(?:/>|>(.*?)(</(?:mw:)?editsection>))#';
 
@@ -371,6 +372,7 @@
 		$this->addModuleMessages( $out->getModuleMessages() );
 
 		$this->mHeadItems = array_merge( $this->mHeadItems, $out->getHeadItemsArray() );
+		$this->mPreventClickjacking = $this->mPreventClickjacking || $out->getPreventClickjacking();
 	}
 
 	/**
@@ -447,4 +449,15 @@
 	 function recordOption( $option ) {
 		 $this->mAccessedOptions[$option] = true;
 	 }
+
+	/**
+	 * Get or set the prevent-clickjacking flag
+	 *
+	 * @since 1.24
+	 * @param boolean|null $flag New flag value, or null to leave it unchanged
+	 * @return boolean Old flag value
+	 */
+	public function preventClickjacking( $flag = null ) {
+		return wfSetVar( $this->mPreventClickjacking, $flag );
+	}
 }
diff -Nru mediawiki-1.19.17+dfsg/RELEASE-NOTES-1.19 mediawiki-1.19.18+dfsg/RELEASE-NOTES-1.19
--- mediawiki-1.19.17+dfsg/RELEASE-NOTES-1.19	2014-06-25 21:11:49.000000000 +0000
+++ mediawiki-1.19.18+dfsg/RELEASE-NOTES-1.19	2014-07-30 19:26:17.000000000 +0000
@@ -3,6 +3,16 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.19.18 ==
+
+This is a security release of the MediaWiki 1.19 branch.
+
+=== Changes since 1.19.17 ===
+
+* (bug 68187) SECURITY: Prepend jsonp callback with comment.
+* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
+  ParserOutput.
+
 == MediaWiki 1.19.17 ==
 
 This is a security and maintenance release of the MediaWiki 1.19 branch.