Change log for mediawiki package in Ubuntu

mediawiki (1:1.39.7-1) unstable; urgency=medium

  * New upstream version 1.39.7. (Closes: #1064797)
  * Drop obsolete Lintian override for
    package-supports-alternative-init-but-no-init.d-script.
  * Fix ordering in debian/changelog to fix the
    globbing-patterns-out-of-order lintian warning.

 -- Taavi Väänänen <email address hidden>  Fri, 29 Mar 2024 13:30:00 +0200

Available diffs

• diff from 1:1.39.6-1 to 1:1.39.7-1 (2.6 MiB)

mediawiki (1:1.39.6-1) unstable; urgency=medium

  * New upstream version 1.39.6, fixing CVE-2023-51704.

 -- Taavi Väänänen <email address hidden>  Wed, 27 Dec 2023 22:39:20 +0200

Available diffs

• diff from 1:1.39.5-1 to 1:1.39.6-1 (2.1 MiB)

mediawiki (1:1.39.5-1) unstable; urgency=medium

  * New upstream version 1.39.5, fixing CVE-2023-3550,
    CVE-2023-45359, CVE-2023-45360, CVE-2023-45361, CVE-2023-45362,
    CVE-2023-45363, CVE-2023-45364.

 -- Kunal Mehta <email address hidden>  Mon, 09 Oct 2023 15:00:33 -0400

Available diffs

• diff from 1:1.39.4-2 to 1:1.39.5-1 (2.9 MiB)

mediawiki (1:1.39.4-2) unstable; urgency=medium

  * Set Breaks/Replaces for mediawiki-extensions-math (Closes: #1039075)

 -- Kunal Mehta <email address hidden>  Tue, 04 Jul 2023 02:42:01 -0400

Available diffs

• diff from 1:1.39.4-1 to 1:1.39.4-2 (506 bytes)

mediawiki (1:1.39.4-1) unstable; urgency=medium

  [ Kunal Mehta ]
  * Update apache2 config for PHP 8
  * Set "X-Content-Type-Options: nosniff" header for image directories
  * Remove pre-Apache 2.3 support

  [ Taavi Väänänen ]
  * New upstream version 1.39.4, fixing CVE-2023-29141, CVE-2023-36674
    and CVE-2023-36675.
    * The bundled guzzlehttp/guzzle library was updated to 2.4.5 to fix
      CVE-2023-29197.

 -- Taavi Väänänen <email address hidden>  Fri, 30 Jun 2023 19:44:00 +0300

Available diffs

• diff from 1:1.39.2-1 to 1:1.39.4-1 (2.8 MiB)

mediawiki (1:1.39.2-1) unstable; urgency=medium

  * New upstream version 1.39.2
  * d/control: Raise minimum PHP version to 7.4

 -- Taavi Väänänen <email address hidden>  Thu, 23 Feb 2023 15:13:02 +0200

Available diffs

• diff from 1:1.39.1-2 to 1:1.39.2-1 (1.0 MiB)

mediawiki (1:1.39.1-2) unstable; urgency=medium

  * d/copyright: Remove stale entry for vendor/wikimedia/dodo/*
  * d/rules: Raise Standards-Version to 4.6.2, no changes needed
  * d/control: Add a Breaks: for old GreyStuff versions

 -- Taavi Väänänen <email address hidden>  Tue, 27 Dec 2022 12:34:25 +0200

Available diffs

• diff from 1:1.35.8-1.1 to 1:1.39.1-2 (24.7 MiB)
• diff from 1:1.39.1-1 to 1:1.39.1-2 (798 bytes)

mediawiki (1:1.39.1-1) unstable; urgency=medium

  * New upstream version 1.39.1

 -- Taavi Väänänen <email address hidden>  Fri, 23 Dec 2022 12:09:19 +0200

Available diffs

• diff from 1:1.39.0-2 to 1:1.39.1-1 (659.1 KiB)

mediawiki (1:1.39.0-2) unstable; urgency=medium

  * Cherry-pick upstream patch to fix 32-bit issues in wikimedia/idle-dom

 -- Kunal Mehta <email address hidden>  Sun, 11 Dec 2022 20:10:05 -0500

Available diffs

• diff from 1:1.39.0-1 to 1:1.39.0-2 (1.6 KiB)

mediawiki (1:1.39.0-1) unstable; urgency=medium

  * New upstream version 1.39.0

 -- Taavi Väänänen <email address hidden>  Sun, 04 Dec 2022 22:20:45 +0200

Available diffs

• diff from 1:1.35.8-1.1 to 1:1.39.0-1 (24.7 MiB)

mediawiki (1:1.35.8-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * No source change upload to rebuild with debhelper 13.10.

 -- Michael Biebl <email address hidden>  Sat, 15 Oct 2022 12:21:41 +0200

Available diffs

• diff from 1:1.35.7-1 to 1:1.35.8-1.1 (2.1 MiB)

mediawiki (1:1.35.7-1) unstable; urgency=medium

  [ Taavi Väänänen ]
  * New upstream release 1.35.7, fixing CVE-2022-27776 and
    CVE-2022-29248 in the embedded guzzlehttp/guzzle library.

  [ Kunal Mehta ]
  * Officially switch to team maintenance, add Taavi to uploaders

 -- Kunal Mehta <email address hidden>  Sun, 03 Jul 2022 11:14:52 -0700

Available diffs

• diff from 1:1.35.6-1 to 1:1.35.7-1 (1.2 MiB)

mediawiki (1:1.35.6-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.35.6, fixing CVE-2022-28201, CVE-2022-28202,
    CVE-2022-28203. This version is not affected by CVE-2022-28204.
  * Update php extension recommends from composer.json

 -- Taavi Väänänen <email address hidden>  Fri, 01 Apr 2022 16:49:04 +0300

Available diffs

• diff from 1:1.35.5-1ubuntu3 (in Ubuntu) to 1:1.35.6-1 (5.0 MiB)

mediawiki (1:1.35.5-1ubuntu3) jammy; urgency=medium

  * d/p/php8.1-increase-formatjson-timeout.patch: Avoid dep8 failure on
    armhf architecture due to FormatJson timeout during page rendering
    in Apache2.

 -- Bryce Harrington <email address hidden>  Thu, 20 Jan 2022 22:40:42 +0000

Available diffs

• diff from 1:1.35.5-1ubuntu2 to 1:1.35.5-1ubuntu3 (893 bytes)

mediawiki (1:1.35.5-1ubuntu2) jammy; urgency=medium

  * d/t/assert-http: Make it easier to debug autopkgtest failures.
    Use (unreleased) Debian changes suggested by Kunal Mehta.
  * d/t/install-[mysql|postgresql|sqlite]: Drop per-test check in favor of
    Debian's approach.

 -- Bryce Harrington <email address hidden>  Tue, 18 Jan 2022 23:05:47 +0000

Available diffs

• diff from 1:1.35.5-1ubuntu1 to 1:1.35.5-1ubuntu2 (915 bytes)

mediawiki (1:1.35.5-1ubuntu1) jammy; urgency=medium

  * d/t/install-[mysql|postgresql|sqlite]: Dump error.log on failure

 -- Bryce Harrington <email address hidden>  Mon, 10 Jan 2022 23:21:17 +0000

Available diffs

• diff from 1:1.35.5-1 (in Debian) to 1:1.35.5-1ubuntu1 (748 bytes)

mediawiki (1:1.35.5-1) unstable; urgency=high

  [ Kunal Mehta ]
  * New upstream version 1.35.5, fixing CVE-2021-44854, CVE-2021-44855,
    CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038.

  [ Debian Janitor ]
  * Remove constraints unnecessary since buster

 -- Kunal Mehta <email address hidden>  Thu, 30 Sep 2021 20:42:36 -0700

Available diffs

• diff from 1:1.35.4-1 to 1:1.35.5-1 (1.8 MiB)

mediawiki (1:1.35.4-1) unstable; urgency=medium

  * New upstream version 1.35.4, fixing CVE-2021-41798, CVE-2021-41799,
    CVE-2021-41800, CVE-2021-41801.

 -- Kunal Mehta <email address hidden>  Thu, 30 Sep 2021 10:49:49 -0700

Available diffs

• diff from 1:1.35.3-1 to 1:1.35.4-1 (12.2 KiB)

mediawiki (1:1.35.3-1) unstable; urgency=medium

  [ Kunal Mehta ]
  * New upstream version 1.35.3, fixing CVE-2021-35197.

  [ Tobias Wiese ]
  * d/tests: update test restrictions (Closes: #987976)
  * d/tests: Add systemd as test dependency

 -- Kunal Mehta <email address hidden>  Fri, 20 Aug 2021 23:56:23 -0700

Available diffs

• diff from 1:1.35.2-1 to 1:1.35.3-1 (57.8 KiB)

mediawiki (1:1.35.2-1) unstable; urgency=high

  * New upstream version 1.35.2, fixing CVE-2021-30152, CVE-2021-30153,
    CVE-2021-30154, CVE-2021-30155, CVE-2021-30157, CVE-2021-30158,
    CVE-2021-30159, CVE-2021-30458.
  * Bundled pygments was updated to fix CVE-2021-20270, CVE-2021-27291.

 -- Kunal Mehta <email address hidden>  Thu, 08 Apr 2021 13:41:18 -0700

Available diffs

• diff from 1:1.35.1-2 to 1:1.35.2-1 (207.3 KiB)

mediawiki (1:1.35.1-2) unstable; urgency=medium

  * Make it easier to install for use with SQLite (Closes: #979686)

 -- Kunal Mehta <email address hidden>  Wed, 03 Feb 2021 15:01:01 -0800

Available diffs

• diff from 1:1.35.1-1 to 1:1.35.1-2 (520 bytes)

mediawiki (1:1.35.1-1) unstable; urgency=medium

  * New upstream version 1.35.1, fixing CVE-2020-35474, CVE-2020-35475,
    CVE-2020-35477, CVE-2020-35478, CVE-2020-35479, CVE-2020-35480.
  * Respect $wgRedirectOnLogin configuration setting (Closes: #971986).
  * Flatten footer links without triggering a PHP warning (Closes: #971985).
  * Drop patches merged upstream

 -- Kunal Mehta <email address hidden>  Thu, 17 Dec 2020 17:53:57 -0800

Available diffs

• diff from 1:1.35.0-2 to 1:1.35.1-1 (96.0 KiB)

mediawiki (1:1.35.0-2) unstable; urgency=medium

  * Refactor autopkgtests to make easier to reuse
  * Fixup lintian overrides
  * d/watch: Switch to version=4
  * Add patches for PHP 8.0 and newer Postgres compatibility
  * Standards-Version: 4.5.1, no changes needed

 -- Kunal Mehta <email address hidden>  Mon, 14 Dec 2020 10:56:11 -0800

Available diffs

• diff from 1:1.35.0-1 to 1:1.35.0-2 (3.4 KiB)

mediawiki (1:1.35.0-1) unstable; urgency=medium

  * Upload to unstable.
  * New upstream version 1.35.0, fixing CVE-2020-25812,
    CVE-2020-25813, CVE-2020-25814, CVE-2020-25815,
    CVE-2020-25827, CVE-2020-25828.
  * Additionally, mitigations for firejail's CVE-2020-17367,
    CVE-2020-17368 are included as well.
  * Require PHP 7.3+ (thanks to Platonides for the suggestion).

 -- Kunal Mehta <email address hidden>  Sun, 27 Sep 2020 04:16:53 -0700

Available diffs

• diff from 1:1.31.8-1 to 1:1.35.0-1 (28.9 MiB)

mediawiki (1:1.31.8-1) unstable; urgency=medium

  * New upstream version 1.31.8, fixing CVE-2020-15005.
  * Use debhelper 12 and dh_installsystemd.

 -- Kunal Mehta <email address hidden>  Wed, 24 Jun 2020 14:25:22 -0700

Available diffs

• diff from 1:1.31.7-1 to 1:1.31.8-1 (11.9 KiB)

mediawiki (1:1.31.7-1) unstable; urgency=medium

  * New upstream version 1.31.7, fixing CVE-2020-10960.
    CVE-2020-10960 does not affect this version of MediaWiki.
  * A hardening fix was included for the OATHAuth extension to
    limit access of user-controlled JavaScript.
  * Standards-Version: 4.5.0, no changes needed

 -- Kunal Mehta <email address hidden>  Thu, 26 Mar 2020 15:30:16 -0700

Available diffs

• diff from 1:1.31.6-1 to 1:1.31.7-1 (5.8 KiB)

mediawiki (1:1.31.6-1) unstable; urgency=medium

  * New upstream version 1.31.6, fixing CVE-2019-19709.
    * Drop Postgres patches merged upstream
  * Suppress a bunch of lintian warnings that are ignored on purpose
  * Sync d/upstream/signing-key.asc with upstream
  * autopkgtests: set allow-stderr for all tests that use sudo. Thanks
    to Mathieu Trudel-Lapierre for reporting and fixing in Ubuntu.
    (Closes: #946665)

 -- Kunal Mehta <email address hidden>  Thu, 19 Dec 2019 13:20:56 -0800

Available diffs

• diff from 1:1.31.5-3ubuntu1 (in Ubuntu) to 1:1.31.6-1 (18.9 KiB)

mediawiki (1:1.31.5-3ubuntu1) focal; urgency=medium

  * debian/tests/control: set allow-stderr; sudo on some architectures will
    report being unable to set RLIMIT_CORE in autopkgtests due to specifics
    of the testing infrastructure. The command otherwise succeeds (without
    setting the limits).

 -- Mathieu Trudel-Lapierre <email address hidden>  Thu, 12 Dec 2019 20:52:48 -0500

Available diffs

• diff from 1:1.31.5-3 (in Debian) to 1:1.31.5-3ubuntu1 (885 bytes)

mediawiki (1:1.31.5-3) unstable; urgency=medium

  * In autopkgtests, skip testing against mysql-server if it
    isn't available, such as in Debian testing
  * Move packaging git repository to Salsa and update relevant
    documentation
  * Set up and configure Salsa CI
  * Sync d/upstream/signing-key.asc with upstream

 -- Kunal Mehta <email address hidden>  Mon, 25 Nov 2019 00:59:49 -0800

Available diffs

• diff from 1:1.31.5-2 to 1:1.31.5-3 (28.9 KiB)

mediawiki (1:1.31.5-2) unstable; urgency=medium

  * Add extra debugging information to autopkgtests
  * Backport patches from upstream for Postgresql 12 compatibility
    (Closes: #944650)

 -- Kunal Mehta <email address hidden>  Fri, 15 Nov 2019 15:28:16 -0800

Available diffs

• diff from 1:1.31.5-1ubuntu1 (in Ubuntu) to 1:1.31.5-2 (3.6 KiB)

mediawiki (1:1.31.5-1ubuntu1) focal; urgency=medium

  * d/p/rdbms-*Postg: fix issues with postgresql12 (LP: #1852408)

 -- Christian Ehrhardt <email address hidden>  Wed, 13 Nov 2019 10:54:11 +0100

Available diffs

• diff from 1:1.31.5-1 (in Debian) to 1:1.31.5-1ubuntu1 (2.5 KiB)

mediawiki (1:1.31.5-1) unstable; urgency=medium

  * New upstream version 1.31.5
  * Incorporate MySQL autopkgtest improvements from Lars Tangvald
    and Robie Basak from Ubuntu:
    * Use a different method besides MySQL 8.0's default authentication
      because PHP doesn't currently support it.
    * Explicitly test MySQL and MariaDB regardless of which one is the
      default.
  * Standards-Version: 4.4.1, no changes needed

 -- Kunal Mehta <email address hidden>  Sat, 26 Oct 2019 18:01:59 -0700

Available diffs

• diff from 1:1.31.2-1ubuntu1 (in Ubuntu) to 1:1.31.5-1 (24.3 KiB)

mediawiki (1:1.31.2-1ubuntu1) eoan; urgency=medium

  [ Lars Tangvald ]
  * d/tests: Update for MySQL 8.0
    PHP's mysql connector does not currently support MySQL's new default
    authentication, so another must be specified when creating the user.

  [ Robie Basak ]
  * d/tests: tweak Lars' change to retain old behaviour on older MySQL and on
    MariaDB so that the test suite functions correctly regardless of the
    behaviour required.
  * d/t/control: explicitly test both MySQL and MariaDB in addition to
    whichever is the default.

 -- Robie Basak <email address hidden>  Wed, 28 Aug 2019 18:30:01 +0000

Available diffs

• diff from 1:1.31.2-1 (in Debian) to 1:1.31.2-1ubuntu1 (1.2 KiB)

mediawiki (1:1.31.2-1) unstable; urgency=medium

  [ Kunal Mehta ]
  * New upstream version 1.31.2 (security release), fixing
    CVE-2019-12466, CVE-2019-12467, CVE-2019-12468, CVE-2019-12469,
    CVE-2019-12470, CVE-2019-12471, CVE-2019-12472, CVE-2019-12473,
    CVE-2019-12474. The bundled jQuery was also updated, fixing
    CVE-2019-11358.
  * Fix regex that was breaking file uploads in PHP 7.3
    (Closes: #928716).
  * Sync upstream/signing-key.asc with mediawiki.org.
  * Drop patch merged upstream.
  * Revert "Temporarily add allow-stderr restriction to autopkgtests",
    as it was fixed upstream.

  [ Mark A. Hershberger ]
  * Fix indentation in README.Debian

 -- Kunal Mehta <email address hidden>  Wed, 05 Jun 2019 22:40:28 -0400

Available diffs

• diff from 1:1.31.1-4 to 1:1.31.2-1 (256.6 KiB)

mediawiki (1:1.31.1-4) unstable; urgency=medium

  * Update my email address
  * Temporarily add allow-stderr restriction to autopkgtests (Closes: #911829)

 -- Kunal Mehta <email address hidden>  Thu, 25 Oct 2018 23:19:40 -0700

Available diffs

• diff from 1:1.31.1-3 to 1:1.31.1-4 (695 bytes)

mediawiki (1:1.31.1-3) unstable; urgency=medium

  * Document removal of CologneBlue and Modern in NEWS (Closes: #909589)
  * Document filesystem structure in README.Debian

 -- Kunal Mehta <email address hidden>  Wed, 26 Sep 2018 20:41:24 -0700

Available diffs

• diff from 1:1.31.1-2 to 1:1.31.1-3 (1.9 KiB)

mediawiki (1:1.31.1-2) unstable; urgency=medium

  * Fix SQLite autopkgtests.
  * Remove bogus version dependency upon php-common.
  * Fix some package-contains-documentation-outside-usr-share-doc issues.

 -- Kunal Mehta <email address hidden>  Sat, 22 Sep 2018 16:16:02 -0700

Available diffs

• diff from 1:1.30.0-1 to 1:1.31.1-2 (19.5 MiB)
• diff from 1:1.31.1-1 to 1:1.31.1-2 (1.4 KiB)

mediawiki (1:1.31.1-1) unstable; urgency=medium

  * New upstream version 1.31.1, including fixes for CVE-2018-0503,
    CVE-2018-0505, CVE-2018-0504.
  * Use PlatformSettings.php instead of LocalSettingsGenerator, see NEWS
    for details on how to migrate.
  * Wrap $wgFooterIcons custom config in an $wgExtensionFunctions, so the
    resources path is read after config. (Closes: #863332)
  * SyntaxHighlight extension now uses Python 3.

 -- Kunal Mehta <email address hidden>  Fri, 21 Sep 2018 23:13:24 -0700

Available diffs

• diff from 1:1.30.0-1 to 1:1.31.1-1 (19.5 MiB)

mediawiki (1:1.30.0-1) unstable; urgency=medium

  * New upstream version 1.30.0
  * Update Vcs-Browser to use Gerrit/Gitiles as repository viewer
  * Update d/watch for 1.30
  * Update d/copyright for 1.30
  * Rebase patches, dropping php-jwt-fix-shebang.diff
  * Don't try to install any *.phtml
  * Drop Suggests on hhvm
  * Suppress and fix some lintian issues
  * Refer to newly available `/usr/share/common-licenses/CC0-1.0`
  * Standards-Version: 4.1.4
  * Update mediawiki.NEWS for 1.30 release
  * Install composer.json to avoid update.php warning

 -- Kunal Mehta <email address hidden>  Thu, 12 Apr 2018 21:26:19 -0700

Available diffs

• diff from 1:1.27.4-3 to 1:1.30.0-1 (18.6 MiB)

mediawiki (1:1.27.4-3) unstable; urgency=medium

  * Add basic tests via autopkgtest
  * Document mediawiki-jobrunner systemd unit in README.Debian

 -- Kunal Mehta <email address hidden>  Sun, 03 Dec 2017 00:20:33 -0800

Available diffs

• diff from 1:1.27.4-2 to 1:1.27.4-3 (1.7 KiB)

mediawiki (1:1.27.4-2) unstable; urgency=medium

  * Bump Standards-Version to 4.1.1
  * Set Rules-Requires-Root: no
  * Remove unused lintian overrides
  * Upgrade php-apcu to a Recommends
  * Use debhelper compat 10
  * Add a systemd unit to run runJobs.php as a service
  * Get rid of unnecessary dh_installdeb override
  * Remove dead code to mess with $wgVersion
  * Synchronise upstream/signing-key.asc
  * Remove broken ConfirmEdit/Asirra.php & Vector/Vector.php symlinks
    (Closes: #857773)
  * Document descriptions and forwarded status for all patches
  * Remove unused GPL-3.0 paragraph from debian/copyright
  * Override composer-package-without-pkg-php-tools-builddep lintian warning

 -- Kunal Mehta <email address hidden>  Thu, 23 Nov 2017 01:22:51 -0800

Available diffs

• diff from 1:1.27.4-1 to 1:1.27.4-2 (25.4 KiB)

mediawiki (1:1.27.4-1) unstable; urgency=medium

  * Imported Upstream version 1.27.4 (security release), fixing
    CVE-2017-8809, CVE-2017-8810, CVE-2017-8808, CVE-2017-8811,
    CVE-2017-8812, CVE-2017-8814, CVE-2017-8815.
  * Users who used the default configuration should not be affected
    by CVE-2017-9841, but an extra .htaccess file will restrict
    web access to the vendor/ directory.

 -- Kunal Mehta <email address hidden>  Tue, 14 Nov 2017 15:52:47 -0800

Available diffs

• diff from 1:1.27.3-1 to 1:1.27.4-1 (28.8 KiB)

mediawiki (1:1.27.3-1) unstable; urgency=medium

  * Imported Upstream version 1.27.3 (security release), that
    actually contains the fix for CVE-2017-0372 (Closes: #861585)

 -- Kunal Mehta <email address hidden>  Mon, 01 May 2017 13:20:11 -0700

Available diffs

• diff from 1:1.27.2-1 to 1:1.27.3-1 (7.6 KiB)

mediawiki (1:1.27.2-1) unstable; urgency=medium

  * Improve NEWS file (Closes: #852862, #854352)
  * Imported Upstream version 1.27.2 (security release), fixing
    CVE-2017-0363, CVE-2017-0364, CVE-2017-0365, CVE-2017-0361,
    CVE-2017-0362, CVE-2017-0368, CVE-2017-0366, CVE-2017-0370,
    CVE-2017-0369, CVE-2017-0367, CVE-2017-0372

 -- Kunal Mehta <email address hidden>  Thu, 06 Apr 2017 14:04:24 -0700

Available diffs

• diff from 1:1.27.1-3 to 1:1.27.2-1 (32.6 KiB)

mediawiki (1:1.27.1-3) unstable; urgency=medium

  * Ensure mediawiki depends upon the same version of mediawiki-classes
  * Add powered by Debian icon in footer
  * Add NEWS for major version upgrade (Closes: #838965)
  * Add README for mediawiki-classes
  * Add RELEASE-NOTES-* as documentation for mediawiki
  * Recommend default-mysql-server | virtual-mysql-server instead of
    just mysql-server (Closes: #843994, #848441)
  * Use bundled jQuery (version 1) instead of Debian's jQuery, which is
    now the incompatible version 3
  * Add Provides for extensions now included in this one (Closes: #845281)

 -- Kunal Mehta <email address hidden>  Tue, 13 Sep 2016 04:17:42 -0700

Available diffs

• diff from 1:1.27.1-2 to 1:1.27.1-3 (19.8 KiB)

mediawiki (1:1.27.1-2) unstable; urgency=high

  * Add missing php-xml dependency (Closes: #835912)

 -- Kunal Mehta <email address hidden>  Mon, 29 Aug 2016 20:44:17 -0700

Available diffs

• diff from 1:1.27.1-1 to 1:1.27.1-2 (642 bytes)

mediawiki (1:1.27.1-1) unstable; urgency=medium

  * Add gbp.conf for git-buildpackage
  * Improve Breaks/Replaces for mediawiki-extensions-* packages
    (Closes: #831227)
  * Update apache config for mod_php7
  * Don't add custom PHP session configuration (Closes: #831874)
  * Imported Upstream version 1.27.1 (security release), fixing
    CVE-2016-6335, CVE-2016-6334, CVE-2016-6333, CVE-2016-6333,
    CVE-2016-6336, CVE-2016-6332, CVE-2016-6332, CVE-2016-6331,
    CVE-2016-6337

 -- Kunal Mehta <email address hidden>  Mon, 22 Aug 2016 20:08:40 -0700

Available diffs

• diff from 1:1.27.0-1 to 1:1.27.1-1 (11.4 KiB)

mediawiki (1:1.27.0-1) unstable; urgency=medium

  * New upstream release
  * Update dependencies to be PHP version agnostic
  * Switch to new 1.27 MediaWiki Installer overrides system, drop old patches
  * Local patch to remove newline before shebang in php-jwt/run-tests.sh
  * Local patch to fix pear/mail_mime/scripts/phail.php shebang
  * Remove permission fixes that were addressed upstream, add new ones
  * Properly override source-is-missing lintian warning
  * Drop AdminSettings.php support
  * Add php-curl, php-intl, and php-wikidiff2 as Recommends
  * Add python as recommended for SyntaxHighlighting (via pygments)
  * Remove unnecessary Build-Depends packages
  * Update watch file for 1.27
  * Standards version 3.9.8
  * Include serialized/ folder in install, MediaWiki now needs it at runtime
  * Rewrite and simplify README

 -- Kunal Mehta <email address hidden>  Thu, 30 Jun 2016 22:48:23 +0000

Available diffs

• diff from 1:1.25.5-1 to 1:1.27.0-1 (18.3 MiB)

mediawiki (1:1.25.5-1) unstable; urgency=medium

  * Upgraded to new upstream release
  * Remove unneeded patches
  * Remove redrawn CC images; images provided by upstream are free
  * Fixed lintian warnings

 -- Kunal Mehta <email address hidden>  Sun, 09 Aug 2015 23:49:36 +0000

mediawiki (1:1.19.20+dfsg-2.3) unstable; urgency=high


  * Non-maintainer upload.
  * Add patch fixing several security issues:
    - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that
       contain XML entities, to prevent various DoS attacks.
    - (bug T88310) SECURITY: Always expand xml entities when checking
      SVG's.
    - (bug T73394) SECURITY: Escape > in Html::expandAttributes to
      prevent XSS.
    - (bug T85855) SECURITY: Don't execute another user's CSS or JS
      on preview.
    - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues
      fixed in SVG filtering to prevent XSS and protect viewer's
      privacy.

 -- Thijs Kinkhorst <email address hidden>  Mon, 06 Apr 2015 16:53:54 +0000

Available diffs

• diff from 1:1.19.20+dfsg-2.2 to 1:1.19.20+dfsg-2.3 (7.6 KiB)

mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium


  * Non-maintainer upload.
  * Add patch fixing T76686: thumb.php outputs wikitext message as raw
    HTML, which could lead to xss. Permission to edit MediaWiki namespace
    is required to exploit this.

 -- Sebastien Delafond <email address hidden>  Sun, 21 Dec 2014 13:11:10 +0100

Available diffs

• diff from 1:1.19.20+dfsg-2.1 to 1:1.19.20+dfsg-2.2 (1.3 KiB)

mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium


  * Non-maintainer upload.
  * CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
    poses a potentially severe security problem for API clients written in
    PHP, in that format=php is affected (Closes: #772764).

 -- Sebastien Delafond <email address hidden>  Sun, 14 Dec 2014 18:23:47 +0100

Available diffs

• diff from 1:1.19.20+dfsg-2 to 1:1.19.20+dfsg-2.1 (1.6 KiB)

mediawiki (1:1.19.20+dfsg-2) unstable; urgency=low


  * Team upload.
  * Remove myself from Uploaders.

 -- Thorsten Glaser <email address hidden>  Tue, 07 Oct 2014 18:13:52 +0000

Available diffs

• diff from 1:1.19.18+dfsg-0.1 to 1:1.19.20+dfsg-2 (7.1 KiB)

mediawiki (1:1.19.18+dfsg-0.1) unstable; urgency=high


  * Non-maintainer upload with maintainers approval.
  * Imported Upstream version 1.19.18+dfsg
    (Closes: #758510)
    - CVE-2014-5241 (bug 68187) SECURITY: Prepend jsonp callback with comment.
    - CVE-2014-5243 (bug 65778) SECURITY: Copy prevent-clickjacking between
      OutputPage and ParserOutput.

 -- Salvatore Bonaccorso <email address hidden>  Sun, 24 Aug 2014 06:47:35 +0200

Available diffs

• diff from 1:1.19.17+dfsg-1 to 1:1.19.18+dfsg-0.1 (1.9 KiB)

mediawiki (1:1.19.17+dfsg-1) unstable; urgency=medium


  * New upstream security and maintenance release:
    - (bug 65839) SECURITY: Prevent external resources in SVG files.
    - (bug 66428) MimeMagic: Don't seek before BOF. This has weird
      side effects like only extracting the tail of the file partially
      or not at all.
  * Update lintian overrides

 -- Thorsten Glaser <email address hidden>  Thu, 26 Jun 2014 09:57:03 +0200

Available diffs

• diff from 1:1.19.16+dfsg-1 to 1:1.19.17+dfsg-1 (2.0 KiB)

mediawiki (1:1.19.16+dfsg-1) unstable; urgency=medium


  * New upstream security and maintenance release:
    - CVE-2014-3966 (bug 65501) SECURITY: Don't parse usernames as
      wikitext on Special:PasswordReset.
  * Update debian/upstream/signing-key.asc

 -- Thorsten Glaser <email address hidden>  Wed, 11 Jun 2014 16:35:39 +0200

Available diffs

• diff from 1:1.19.15+dfsg-2 to 1:1.19.16+dfsg-1 (2.7 KiB)

mediawiki (1:1.19.15+dfsg-2) unstable; urgency=high


  * Depend on recent enough php5-common version to be able to use
    php5{en,dis}mod in maintainer scripts (Closes: #743893)
  * Urgency high because this rides on the previous security fix

 -- Thorsten Glaser <email address hidden>  Tue, 08 Apr 2014 09:46:46 +0200

Available diffs

• diff from 1:1.19.14+dfsg-1 to 1:1.19.15+dfsg-2 (446.6 KiB)

mediawiki (1:1.19.14+dfsg-1) unstable; urgency=medium


  * New upstream security fix release (Closes: #742857):
    - (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword
    - (bug 62467) Set a title for the context during import on the cli
  * Use upstream-provided signing key bundle

 -- Thorsten Glaser <email address hidden>  Fri, 28 Mar 2014 09:56:29 +0100

Available diffs

• diff from 1:1.19.11+dfsg-1 to 1:1.19.14+dfsg-1 (17.8 KiB)

mediawiki (1:1.19.11+dfsg-1) unstable; urgency=medium


  * New upstream security fix release:
    - CVE-2014-1610 (bug 60339) remote code exec in Djvu thumbnailer
  * Update upstream signing key location to devscript maintainers’
    latest whim…
  * Rely on uscan in get-orig-source instead of downloading manually

 -- Thorsten Glaser <email address hidden>  Wed, 29 Jan 2014 10:10:39 +0100

Available diffs

• diff from 1:1.19.10+dfsg-1 to 1:1.19.11+dfsg-1 (5.3 KiB)

mediawiki (1:1.19.10+dfsg-1) unstable; urgency=high


  * New upstream security fix release:
    - CVE-2013-4568 (bug 58088) Don't normalize U+FF3C to \ in CSS Checks
    - CVE-2013-6452 (bug 57550) Disallow stylesheets in SVG Uploads
    - CVE-2013-6453 (bug 58553) Return error on invalid XML for SVG Uploads
    - CVE-2013-6454 (bug 58472) Disallow -o-link in styles
    - CVE-2013-6472 (bug 58699) Fix RevDel log entry information leaks

 -- Thorsten Glaser <email address hidden>  Tue, 14 Jan 2014 10:51:35 +0100

Available diffs

• diff from 1:1.19.9+dfsg-2 to 1:1.19.10+dfsg-1 (453.4 KiB)

mediawiki (1:1.19.9+dfsg-2) unstable; urgency=medium


  * Ship files in /etc/mediawiki-extensions/extensions-available/
    for extensions shipped with the mediawiki core
  * Correct typo in changelog for 1:1.19.9+dfsg-1

 -- Thorsten Glaser <email address hidden>  Tue, 31 Dec 2013 14:00:37 +0100

Available diffs

• diff from 1:1.19.8+dfsg-2.2 to 1:1.19.9+dfsg-2 (1.8 MiB)

mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high


  * Non-maintainer upload
  * Security fixes (Closes: #729629):
    - Kevin Israel (Wikipedia user PleaseStand) identified and reported two
      vectors for injecting Javascript in CSS that bypassed MediaWiki's
      blacklist [CVE-2013-4567, CVE-2013-4568]
    - Internal review while debugging a site issue discovered that MediaWiki
      and the CentralNotice extension were incorrectly setting cache headers
      when a user was autocreated, causing the user's session cookies to be
      cached, and returned to other users [CVE-2013-4572]
  * New Polish debconf translation, thanks to Magdalena Z. Kubot
    (Closes: #731381)

 -- David Prévot <email address hidden>  Sun, 08 Dec 2013 16:13:40 -0400

Available diffs

• diff from 1:1.19.8+dfsg-2.1 to 1:1.19.8+dfsg-2.2 (3.7 KiB)

mediawiki (1:1.19.8+dfsg-2.1) unstable; urgency=low


  * Provide includes/libs in mediawiki-classes (Closes: #703837)

 -- David Prévot <email address hidden>  Wed, 23 Oct 2013 11:29:27 -0400

Available diffs

• diff from 1:1.19.8+dfsg-2 to 1:1.19.8+dfsg-2.1 (1.4 KiB)

mediawiki (1:1.19.8+dfsg-2) unstable; urgency=low


  [ Thorsten Glaser ]
  * debian/rules: get-orig-source now leaves the repacked origtgz
    in ./ ipv in ./debian/ according to Policy §4.9 (noticed by
    Natureshadow)
  * Add version guards to apache.conf

  [ Jonathan Wiltshire ]
  * Update apache.conf for Apache 2.4 syntax changes, and document
    in debian/NEWS (Closes: #723620, #669832)

 -- Jonathan Wiltshire <email address hidden>  Tue, 24 Sep 2013 19:04:42 +0100

Available diffs

• diff from 1:1.19.8+dfsg-1 to 1:1.19.8+dfsg-2 (1.1 KiB)

mediawiki (1:1.19.8+dfsg-1) unstable; urgency=low


  * mediawiki-math is now called mediawiki-extensions-math
    ⇒ update the package relationship fields
  * Make my self-drawn CC images nicer and more consistent
  * New upstream security release
  * Secure the default images directory (Closes: #716884)
  * Allow PDF upload (Closes: #716957)
  * Nuke ref to ENOENT dir (Closes: #705107)
  * Update debian/copyright information
  * Pull upstream patch to fix variables (Closes: #709943)
  * Sort patches ASCIIbetically; refresh them against new version
  * For Apache 2.4, move configuration file (Closes: #669832)

 -- Thorsten Glaser <email address hidden>  Thu, 05 Sep 2013 17:07:53 +0200

Available diffs

• diff from 1:1.19.7+dfsg-1 to 1:1.19.8+dfsg-1 (6.6 KiB)

mediawiki (1:1.19.7+dfsg-1) unstable; urgency=low


  * New low-impact upstream security release
  * Refresh patches
  * Change watch file to track upstream LTS version
  * Replace trademarked image files by self-drawn Free ones
  * Fix VCS-* URLs – prodded by lintian from experimental
  * Policy 3.9.4 with no further changes needed

 -- Thorsten Glaser <email address hidden>  Thu, 23 May 2013 11:03:39 +0000

Available diffs

• diff from 1:1.19.6-1 to 1:1.19.7+dfsg-1 (6.3 KiB)

mediawiki (1:1.19.6-1) unstable; urgency=low


  * New upstream security release (Closes: #706601):
    - SVG script filtering could be bypassed for Chrome and Firefox
      clients by using an encoding that MediaWiki understood, but these
      browsers interpreted as UTF-8. (CVE-2013-2031)
    - Internal review discovered that extensions were not given the
      opportunity to disable a password reset, which could lead to
      circumvention of two-factor authentication (CVE-2013-2032)

 -- Jonathan Wiltshire <email address hidden>  Sat, 11 May 2013 16:07:43 +0100

Available diffs

• diff from 1:1.19.5-1 to 1:1.19.6-1 (1.3 MiB)

mediawiki (1:1.19.5-1) unstable; urgency=high


  [ Platonides ]
  * Update config URL in README.Debian (Closes: #703804)

  [ Thorsten Glaser ]
  * Re-add LocalSettings creation snippet for support of the
    mediawiki-extensions Debian packaging (Closes: #703852)
  * New upstream security-only release:
    - (bug 47251) SECURITY: Disable external entities in Import
    - (bug 46859) SECURITY: Disable external entities in XMLReader
    - (bug 46084) SECURITY: Sanitize $limitReport before outputting
    - (bug 43594) Fix notices displayed on PHP 5.4
    - (bug 40585) Don't drop 'step="any"' in HTML input fields.
  * Refresh patches against new upstream code

 -- Thorsten Glaser <email address hidden>  Tue, 16 Apr 2013 11:04:05 +0200

Available diffs

• diff from 1:1.19.4-1 to 1:1.19.5-1 (4.7 KiB)

mediawiki (1:1.19.4-1) unstable; urgency=high


  * Urgency high for security fix
  * New upstream release:
    - New preference type - 'api'. Preferences of this type are not shown
      on Special:Preferences, but are still available via the
      action=options API.
    - (bug 44010) Context is passed to UserGetLanguageObject.
    - The recursion guard on RequestContext::getLanguage() was weakened.
    - (bug 44135/bug 42441) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST
    - (bug 43518) API action=unblock should return the user name, not the
      full user object (Closes: #702305)
    - Increase timeout values for some tests

 -- Jonathan Wiltshire <email address hidden>  Mon, 04 Mar 2013 23:06:30 +0000

Available diffs

• diff from 1:1.19.3-2 to 1:1.19.4-1 (906.5 KiB)

mediawiki (1:1.19.3-2) unstable; urgency=low


  * Add missing changelog entries to 1:1.19.3-1 upload (oops…)
  * Upstream patch to fix XHTML issue in Special:Upload (BZ#40889)
  * Upstream patch to fix another MySQLism (BZ#39635) (Closes: #700595)
  * Update lintian overrides

 -- Thorsten Glaser <email address hidden>  Mon, 18 Feb 2013 10:24:08 +0100

Available diffs

• diff from 1:1.19.3-1 to 1:1.19.3-2 (2.6 KiB)

mediawiki (1:1.19.3-1) unstable; urgency=high


  [ Dominik George ]
  * Team upload
  * New upstream version fixes security issues (Closes: #694998)
    + Prevent session fixation in Special:UserLogin (CVE-2012-5391)
      https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
    + Prevent linker regex from exceeding PCRE backtrack limit
      https://bugzilla.wikimedia.org/show_bug.cgi?id=41400

  [ Thorsten Glaser ]
  * Fix spelling error in README.Debian (thanks lintian!)

 -- Dominik George <email address hidden>  Wed, 12 Dec 2012 09:44:08 +0100

Available diffs

• diff from 1:1.19.2-2 to 1:1.19.3-1 (1.3 MiB)

mediawiki (1:1.19.2-2) unstable; urgency=low


  * debian/watch: mangle the epoch away so DDPO is green again
  * Break mw-ext-fckeditor, it doesn’t work with 1.19 (Closes: #689375)

 -- Thorsten Glaser <email address hidden>  Tue, 02 Oct 2012 14:09:42 +0200

Available diffs

• diff from 1:1.19.2-1 to 1:1.19.2-2 (944 bytes)

mediawiki (1:1.19.2-1) unstable; urgency=low


  [ Thorsten Glaser ]
  * New upstream: security fixes for CVE-2012-4377, CVE-2012-4378,
    CVE-2012-4379, CVE-2012-4380, CVE-2012-4381, CVE-2012-4382
    (Closes: #686330)
  * Prevent <table></table> without any <tr /> inside, globally
  * Fix more cases of not checking $wgHtml5
  * MW’s ID (XML) sanitiser is there for a reason, use it!
  * Prevent <ul></ul> without any <li /> inside in MonoBook
  * Fix invalid XHTML caused by code not honouring $wgHtml5
  * Quell some PHP warnings from sloppy code
  * Do the wfSuppressWarnings patch used with FusionForge right
  * Add myself to Uploaders and quieten lintian a bit
  * Do not replace patched jquery-tablesorter with unpatched one;
    unbreaks sortable tables (Closes: #687519)
  * Update versioned Breaks against fusionforge and mw-extensions

  [ Jonathan Wiltshire ]
  * Add Recommends on mediawiki-extensions-base and php-wikidiff2

 -- Thorsten Glaser <email address hidden>  Thu, 20 Sep 2012 13:40:12 +0200

Available diffs

• diff from 1:1.19.1-1 to 1:1.19.2-1 (2.5 MiB)

mediawiki (1:1.19.1-1) unstable; urgency=low


  * New upstream bug fix release
    Closes: #672818, 677895 (CVE-2012-2698)
    - debian/rules: remove all .gitignore files too, since upstream
      switched to git VCS
  * Remove last traces of mediaiki-math binary package
  * Remove CDBS logic and dependencies and use dh
    auto-sequencer instead
  * Depend on debhelper >=9 and use compat level 9; this
    stops dh_pysupport adding files to the build
  * Do not run update debconf translations on clean 
  * Disable patch texvc_location.patch; this really belongs in mediawiki-math
    now and especially considering <email address hidden>
  * Add a versioned Breaks on fusionforge-plugin-mediawiki
  * Upload to unstable

 -- Jonathan Wiltshire <email address hidden>  Mon, 18 Jun 2012 15:25:25 +0100

Available diffs

• diff from 1:1.15.5-10 to 1:1.19.1-1 (16.8 MiB)

mediawiki (1:1.15.5-10) unstable; urgency=low


  * Team upload.
  * Apply SQL fix for schema search paths by Roland Mas (#673125)

 -- Thorsten Glaser <email address hidden>  Wed, 30 May 2012 16:50:36 +0200

Available diffs

• diff from 1:1.15.5-9 to 1:1.15.5-10 (814 bytes)