Change log for mediawiki package in Ubuntu
| 76 → 133 of 133 results | First • Previous • Next • Last |
| Superseded in quantal-release |
mediawiki (1:1.15.5-9) unstable; urgency=high
* Team upload.
* Address MW security release 1.18.1-1 (Closes: #666269)
- CVE-2012-1578 MW#34212: doesn’t affect 1.15
- CVE-2012-1579 MW#34907: doesn’t affect 1.15
- CVE-2012-1580 MW#35317: doesn’t affect 1.15
- CVE-2012-1581 MW#35078: fix backported
- CVE-2012-1582 MW#35315: fix backported
* Apply some lintian cleanup
-- Thorsten Glaser <email address hidden> Wed, 16 May 2012 15:01:06 +0200
Available diffs
- diff from 1:1.15.5-8 to 1:1.15.5-9 (11.5 KiB)
| Superseded in quantal-release |
mediawiki (1:1.15.5-8) unstable; urgency=low
* Fix reversing IPv4 address for SORBS blacklist; patch from
Nye Liu <email address hidden> (Closes: #658672)
* Backport a method called by CVE-2011-1580.patch (Closes: #658682)
* Fix warnings issued by PHP 5.4 (Closes: #661682)
* Suggest librsvg-bin (Closes: #644731)
* Demote database server to Suggests (Closes: #617561)
* Add dansk translation (Closes: #627848)
-- Thorsten Glaser <email address hidden> Thu, 15 Mar 2012 12:52:09 +0100
Available diffs
- diff from 1:1.15.5-7 to 1:1.15.5-8 (3.3 KiB)
mediawiki (1:1.15.5-7) unstable; urgency=high
* debian/patches/CVE-2011-4360.patch: remove – the information
disclosure does not happen on 1.15 and the patch would not
work anyway because the OutputPage object has no setTitle
method (this prevents a PHP fatal error when someone has no
permissions, instead reverting to the pre-1:1.15.5-4 behaviour
of showing a page asking the user to log in)
-- Thorsten Glaser <email address hidden> Fri, 20 Jan 2012 17:13:28 +0100
Available diffs
| Superseded in precise-release |
mediawiki (1:1.15.5-5) unstable; urgency=high
* Security fixes from upstream:
CVE-2011-1578 - XSS for IE <= 6
CVE-2011-1579 - CSS validation error in wikitext parser
CVE-2011-1580 - access control checks on transwiki import feature
CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 26 Dec 2011 17:50:13 +0000
Available diffs
- diff from 1:1.15.5-4 to 1:1.15.5-5 (4.9 KiB)
| Superseded in precise-release |
mediawiki (1:1.15.5-4) unstable; urgency=low
[ Thorsten Glaser ]
* debian/patches/fix_invalid_sql.patch: new (Closes: #615983)
[ Jonathan Wiltshire ]
* Security fixes from upstream (Closes: #650434):
CVE-2011-4360 - page titles on private wikis could be exposed
bypassing different page ids to index.php
CVE-2011-4361 - action=ajax requests were dispatched to the
relevant function without any read permission checks being done
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 05 Dec 2011 11:01:33 +0000
Available diffs
- diff from 1:1.15.5-3build1 to 1:1.15.5-4 (2.2 KiB)
mediawiki (1:1.15.5-3build1) oneiric; urgency=low * Rebuild to pick up armel ocaml fixes. -- Adam Conrad <email address hidden> Fri, 19 Aug 2011 13:29:06 -0600
Available diffs
- diff from 1:1.15.5-3 to 1:1.15.5-3build1 (343 bytes)
mediawiki (1:1.15.5-3) unstable; urgency=high
[ Thorsten Glaser ]
* debian/patches/fix_datetime.patch: new, convert argument into
the format expected by other methods, fixes date/time output
in e.g. the News/RSS extensions
[ Jonathan Wiltshire ]
* CVE-2011-0047: Protect against a CSS injection vulnerability
(closes: #611787)
* Update my email address
-- Micah Gersten <email address hidden> Tue, 08 Feb 2011 18:40:58 +0000
Available diffs
- diff from 1:1.15.5-2 to 1:1.15.5-3 (2.2 KiB)
| Superseded in natty-release |
mediawiki (1:1.15.5-2) testing-security; urgency=high
* CVE-2011-0003: Protect against clickjacking by sending the
X-Frame-Options header in all pages (except normal page views
and a few selected special pages). Patch as released by upstream
-- Jonathan Wiltshire <email address hidden> Mon, 10 Jan 2011 16:48:16 +0000
Available diffs
- diff from 1:1.15.5-1 to 1:1.15.5-2 (1.1 KiB)
mediawiki (1:1.15.5-1) unstable; urgency=high
[ Thorsten Glaser ]
* debian/patches/suppress_warnings.patch: new, suppress warnings
about session_start() being called twice also in the PHP error
log, not just MediaWiki’s, for example run from FusionForge
[ Jonathan Wiltshire ]
* New upstream security release:
- correctly set caching headers to prevent private data leakage
(closes: #590660, LP: #610782)
- fix XSS vulnerability in profileinfo.php
(closes: #590669, LP: #610819)
-- Jonathan Wiltshire <email address hidden> Wed, 28 Jul 2010 12:23:04 +0100
Available diffs
- diff from 1:1.15.4-2 to 1:1.15.5-1 (643.7 KiB)
| Superseded in maverick-release |
mediawiki (1:1.15.4-2) unstable; urgency=low
[ Thorsten Glaser ]
* debian/control: add Vcs-SVN and Vcs-Browser
[ Jonathan Wiltshire ]
* debian/source/format: Switch to source format 3.0 (quilt)
* debian/rules: Drop CDBS quilt logic
* debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
remove the original definition (LP: #406358)
* debian/README.source: document use of quilt and format 3.0 (quilt)
* New patch backup_documentation.patch improves documentation of
maintenance/dumpBackup.php (closes: #572355)
* Standards version 3.9.0 (no changes)
-- Andreas Wenning <email address hidden> Tue, 13 Jul 2010 18:49:14 +0100
Available diffs
- diff from 1:1.15.4-1 to 1:1.15.4-2 (2.8 KiB)
mediawiki (1:1.15.0-1.1ubuntu0.4) karmic-security; urgency=low
* SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
which restrict access to private files using eg. img_auth.php.
- CVE-2010-1190
- debian/patches/DataLeakage-CVE-2010-1190.patch
- patch from upstream SVN rev. 63436
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
- LP: #603740
-- Andreas Wenning <email address hidden> Fri, 09 Jul 2010 22:23:06 +0200
Available diffs
mediawiki (1:1.13.3-1ubuntu2.4) jaunty-security; urgency=low
* SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
which restrict access to private files using eg. img_auth.php.
- CVE-2010-1190
- debian/patches/DataLeakage-CVE-2010-1190.patch
- patch from upstream SVN rev. 63436
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
- LP: #603740
-- Andreas Wenning <email address hidden> Fri, 09 Jul 2010 22:26:21 +0200
Available diffs
mediawiki (1:1.11.2-2ubuntu0.7) hardy-security; urgency=low
* SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
which restrict access to private files using eg. img_auth.php.
- CVE-2010-1190
- debian/patches/DataLeakage-CVE-2010-1190.patch
- patch based on upstream SVN rev. 63436
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
- LP: #603740
-- Andreas Wenning <email address hidden> Fri, 09 Jul 2010 22:38:34 +0200
Available diffs
| Superseded in maverick-release |
mediawiki (1:1.15.4-1) unstable; urgency=high
[ Jonathan Wiltshire ]
* New upstream security release (closes: #585918).
* CVE-2010-1647:
Fix a cross-site scripting (XSS) vulnerability which allows
remote attackers to inject arbitrary web script or HTML via crafted
Cascading Style Sheets (CSS) strings that are processed as script by
Internet Explorer.
* CVE-2010-1648:
Fix a cross-site request forgery (CSRF) vulnerability in the login interface
which allows remote attackers to hijack the authentication of users for
requests that (1) create accounts or (2) reset passwords, related to the
Special:Userlogin form.
[ Romain Beauxis ]
* Put debian's package version in declared version.
Should help sysadmins to keep track of installed
versions, in particular with regard to security
updates.
* Added Jonathan Wiltshire to uploaders.
* Do not clan math dir if it does not exist (for instance
when running clean from SVN).
Available diffs
mediawiki (1:1.13.3-1ubuntu2.3) jaunty-security; urgency=low
* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
interface. Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset features were not
protected from CSRF. This could lead to unauthorised access to private
wikis. (LP: #586773)
- debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
- patch from upstream SVN rev. 66991
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. (LP: #586773)
- debian/patches/XSS-IE-no-CVE_rev-66992.patch
- patch from upstream SVN rev. 66992
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
-- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:47:42 +0200
Available diffs
mediawiki (1:1.15.0-1.1ubuntu0.3) karmic-security; urgency=low
* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
interface. Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset features were not
protected from CSRF. This could lead to unauthorised access to private
wikis. (LP: #586773)
- debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
- patch from upstream SVN rev. 66991
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. (LP: #586773)
- debian/patches/XSS-IE-no-CVE_rev-66992.patch
- patch from upstream SVN rev. 66992
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
-- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:48:35 +0200
Available diffs
mediawiki (1:1.15.1-1ubuntu2.1) lucid-security; urgency=low
* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
interface. Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset features were not
protected from CSRF. This could lead to unauthorised access to private
wikis. (LP: #586773)
- debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
- patch from upstream SVN rev. 66991
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. (LP: #586773)
- debian/patches/XSS-IE-no-CVE_rev-66992.patch
- patch from upstream SVN rev. 66992
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
-- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:49:12 +0200
Available diffs
mediawiki (1:1.11.2-2ubuntu0.6) hardy-security; urgency=low
* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
interface. Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset features were not
protected from CSRF. This could lead to unauthorised access to private
wikis. (LP: #586773)
- debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
- patch from upstream SVN rev. 66991
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. (LP: #586773)
- debian/patches/XSS-IE-no-CVE_rev-66992.patch
- patch from upstream SVN rev. 66992
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
-- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:45:24 +0200
Available diffs
| Superseded in maverick-release |
mediawiki (1:1.15.1-1ubuntu3) maverick; urgency=low
* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
interface. Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset features were not
protected from CSRF. This could lead to unauthorised access to private
wikis. (LP: #586773)
- debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
- patch from upstream SVN rev. 66991
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. (LP: #586773)
- debian/patches/XSS-IE-no-CVE_rev-66992.patch
- patch from upstream SVN rev. 66992
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
-- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:49:46 +0200
Available diffs
mediawiki (1:1.13.3-1ubuntu2.2) jaunty-security; urgency=low
* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
attacker who controls a user account on the target wiki can force the
victim to login as the attacker, via a script on an external website.
IMPORTANT: Fix includes a breaking change to the API login action. Any
clients using it will need to be updated. (LP: #557159)
- debian/patches/CSRF-no-CVE_rev-64680.patch
- patch based on upstream SVN rev. 64680
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
- CVE-2010-1150
-- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:56:59 +0200
Available diffs
mediawiki (1:1.12.0-2ubuntu0.5) intrepid-security; urgency=low
* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
attacker who controls a user account on the target wiki can force the
victim to login as the attacker, via a script on an external website.
IMPORTANT: Fix includes a breaking change to the API login action. Any
clients using it will need to be updated. (LP: #557159)
- debian/patches/CSRF-no-CVE_rev-64680.patch
- patch based on upstream SVN rev. 64680
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
- CVE-2010-1150
-- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:56:02 +0200
Available diffs
mediawiki (1:1.15.0-1.1ubuntu0.2) karmic-security; urgency=low
* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
attacker who controls a user account on the target wiki can force the
victim to login as the attacker, via a script on an external website.
IMPORTANT: Fix includes a breaking change to the API login action. Any
clients using it will need to be updated. (LP: #557159)
- debian/patches/CSRF-no-CVE_rev-64680.patch
- patch from upstream SVN rev. 64680
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
- CVE-2010-1150
-- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:52:21 +0200
Available diffs
mediawiki (1:1.11.2-2ubuntu0.5) hardy-security; urgency=low
* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
attacker who controls a user account on the target wiki can force the
victim to login as the attacker, via a script on an external website.
IMPORTANT: Fix includes a breaking change to the API login action. Any
clients using it will need to be updated. (LP: #557159)
- debian/patches/CSRF-no-CVE_rev-64680.patch
- patch based on upstream SVN rev. 64680
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
- CVE-2010-1150
-- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 12:08:55 +0200
Available diffs
mediawiki (1:1.15.1-1ubuntu2) lucid; urgency=low
* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
attacker who controls a user account on the target wiki can force the
victim to login as the attacker, via a script on an external website.
IMPORTANT: Fix includes a breaking change to the API login action. Any
clients using it will need to be updated. (LP: #557159)
- debian/patches/CSRF-no-CVE_rev-64680.patch
- patch from upstream SVN rev. 64680
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
-- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:46:10 +0200
Available diffs
mediawiki (1:1.12.0-2ubuntu0.4) intrepid-security; urgency=low
* SECURITY UPDATE: CSS validation issue allowing external images to be included
into wikis where that is disallowed by conf. (LP: #537974)
- debian/patches/CSS-no-CVE_rev-63429.patch
- patch based on upstream SVN rev. 63429
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
* Fix regression in CVE-2009-0737.patch, where the database-specific options
will not be shown by default when installing mediawiki. (LP: #539697)
-- Andreas Wenning <email address hidden> Fri, 12 Mar 2010 11:51:32 +0100
Available diffs
mediawiki (1:1.11.2-2ubuntu0.4) hardy-security; urgency=low
* SECURITY UPDATE: CSS validation issue allowing external images to be included
into wikis where that is disallowed by conf. (LP: #537974)
- debian/patches/CSS-no-CVE_rev-63429.patch
- patch based on upstream SVN rev. 63429
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
* Fix regression in CVE-2009-0737.patch, where the database-specific options
will not be shown by default when installing mediawiki. (LP: #539697)
-- Andreas Wenning <email address hidden> Tue, 16 Mar 2010 18:43:48 +0100
Available diffs
mediawiki (1:1.15.0-1.1ubuntu0.1) karmic-security; urgency=low
* SECURITY UPDATE: CSS validation issue allowing external images to be included
into wikis where that is disallowed by conf. (LP: #537974)
- debian/patches/CSS-no-CVE_rev-63429.patch
- patch from upstream SVN rev. 63429
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
-- Andreas Wenning <email address hidden> Fri, 12 Mar 2010 11:53:47 +0100
Available diffs
mediawiki (1:1.13.3-1ubuntu2.1) jaunty-security; urgency=low
* SECURITY UPDATE: CSS validation issue allowing external images to be included
into wikis where that is disallowed by conf. (LP: #537974)
- debian/patches/CSS-no-CVE_rev-63429.patch
- patch from upstream SVN rev. 63429
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
-- Andreas Wenning <email address hidden> Fri, 12 Mar 2010 11:51:52 +0100
Available diffs
| Superseded in lucid-release |
mediawiki (1:1.15.1-1ubuntu1) lucid; urgency=low
* SECURITY UPDATE: CSS validation issue allowing external images to be included
into wikis where that is disallowed by conf. (LP: #537974)
- debian/patches/CSS-no-CVE_rev-63429.patch
- patch from upstream SVN rev. 63429
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
* SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
which restrict access to private files using eg. img_auth.php.
- debian/patches/DataLeakage-no-CVE_rev-63436.patch
- patch from upstream SVN rev. 63436
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
-- Andreas Wenning <email address hidden> Fri, 12 Mar 2010 12:06:25 +0100
Available diffs
| Superseded in lucid-release |
mediawiki (1:1.15.1-1) unstable; urgency=low
* New upstream release.
* Ack previous NMU, thanks to Nico Golde for taking care
of this.
-- Ubuntu Archive Auto-Sync <email address hidden> Thu, 05 Nov 2009 10:40:04 +0000
Available diffs
- diff from 1:1.15.0-1.1 to 1:1.15.1-1 (3.3 KiB)
mediawiki (1:1.15.0-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cross-site scripting in [[Special:Block]]
(No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
-- Andreas Wenning <email address hidden> Mon, 27 Jul 2009 16:39:30 +0100
Available diffs
- diff from 1:1.15.0-1 to 1:1.15.0-1.1 (706 bytes)
| Superseded in karmic-release |
mediawiki (1:1.15.0-1) unstable; urgency=low * New upstream release. * Upstream added support for OASIS documents. Closes: #530328 * Refreshed quilt patches * Bumped standards versions to 3.8.2 * Bumped compat to 7 * Pointed to GPL-2 in debian/copyright * Added php5-sqlite to possible DB backend dependencies. Closes: #501569 * Proofread README.Debian, upgrade is documented there. Closes: #520121 -- Bhavani Shankar <email address hidden> Mon, 06 Jul 2009 18:29:48 +0100
Available diffs
| Superseded in karmic-release |
mediawiki (1:1.14.0-1ubuntu1) karmic; urgency=low
* Merge from debian unstable, remaining changes:
- Add debian/patches/add-OOo-Mimetypes.diff
-- Andreas Wenning <email address hidden> Wed, 29 Apr 2009 06:23:20 +0200
Available diffs
mediawiki (1:1.12.0-2ubuntu0.3) intrepid-security; urgency=low
* SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
the web-based installer (config/index.php). (LP: #348858)
- CVE-2009-0737
- debian/patches/CVE-2009-0737.patch
- patch taken directly from Debian
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html
-- Andreas Wenning <email address hidden> Thu, 26 Mar 2009 09:33:41 +0100
Available diffs
mediawiki (1:1.11.2-2ubuntu0.3) hardy-security; urgency=low
* SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
the web-based installer (config/index.php). (LP: #348858)
- CVE-2009-0737
- debian/patches/CVE-2009-0737.patch
- patch based on Debian patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html
-- Andreas Wenning <email address hidden> Thu, 26 Mar 2009 09:55:33 +0100
Available diffs
mediawiki (1:1.13.3-1ubuntu2) jaunty; urgency=low
* SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
the web-based installer (config/index.php). (LP: #348858)
- CVE-2009-0737
- debian/patches/CVE-2009-0737.patch
- patch based on upstream patches for 1.13.4 and 1.13.5
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html
-- Andreas Wenning <email address hidden> Thu, 26 Mar 2009 09:25:16 +0100
Available diffs
| Superseded in jaunty-release |
mediawiki (1:1.13.3-1ubuntu1) jaunty; urgency=low * includes/mime.types: Add mimetypes for opendocument files (LP: #314220 ). -- Thomas Bechtold <email address hidden> Sat, 21 Feb 2009 15:49:26 +0100
Available diffs
mediawiki (1:1.11.2-2ubuntu0.2) hardy-security; urgency=low
* SECURITY UPDATE:
- CVE-2008-5249
- CVE-2008-5250
- CVE-2008-5252
- other security-related problems (see full patch description).
- patch based on Debian patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508870
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508869
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
* debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
- Fixed output escaping for reporting of non-MediaWiki exceptions.
Potential XSS if an extension throws one of these with user input.
- Avoid fatal error in profileinfo.php when not configured.
- Fixed CSRF vulnerability in Special:Import. Fixed input validation in
transwiki import feature.
- Add a .htaccess to deleted images directory for additional protection
against exposure of deleted files with known SHA-1 hashes on default
installations.
- Fixed XSS vulnerability for Internet Explorer clients, via file uploads
which are interpreted by IE as HTML.
- Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
uploads are enabled. Firefox 1.5+ is affected.
- Avoid streaming uploaded files to the user via index.php. This allows
security-conscious users to serve uploaded files via a different domain,
and thus client-side scripts executed from that domain cannot access the
login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
- When streaming files via index.php, use the MIME type detected from the
file extension, not from the data. This reduces the XSS attack surface.
- Blacklist redirects via Special:Filepath. Such redirects exacerbate any
XSS vulnerabilities involving uploads of files containing scripts.
-- Andreas Wenning <email address hidden> Sun, 01 Feb 2009 08:50:19 +0100
Available diffs
mediawiki (1:1.12.0-2ubuntu0.2) intrepid-security; urgency=low
* SECURITY UPDATE:
- CVE-2008-5249
- CVE-2008-5250
- CVE-2008-5252
- other security-related problems (see full patch description).
- patch taken directly from Debian
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508870
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508869
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
* debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
- Fixed output escaping for reporting of non-MediaWiki exceptions.
Potential XSS if an extension throws one of these with user input.
- Avoid fatal error in profileinfo.php when not configured.
- Fixed CSRF vulnerability in Special:Import. Fixed input validation in
transwiki import feature.
- Add a .htaccess to deleted images directory for additional protection
against exposure of deleted files with known SHA-1 hashes on default
installations.
- Fixed XSS vulnerability for Internet Explorer clients, via file uploads
which are interpreted by IE as HTML.
- Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
uploads are enabled. Firefox 1.5+ is affected.
- Avoid streaming uploaded files to the user via index.php. This allows
security-conscious users to serve uploaded files via a different domain,
and thus client-side scripts executed from that domain cannot access the
login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
- When streaming files via index.php, use the MIME type detected from the
file extension, not from the data. This reduces the XSS attack surface.
- Blacklist redirects via Special:Filepath. Such redirects exacerbate any
XSS vulnerabilities involving uploads of files containing scripts.
-- Andreas Wenning <email address hidden> Sun, 01 Feb 2009 08:53:13 +0100
Available diffs
| Superseded in jaunty-release |
mediawiki (1:1.13.3-1) unstable; urgency=low
* New upstream release.
* Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
"An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2."
Closes: #508868
* Fix CVE-2008-5250: several local script injection vulnerabilities
in MediaWiki:
"o A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
o A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled."
Closes: #508869
* Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
feature in MediaWiki:
"A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0."
Closes: #508870
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 22 Dec 2008 12:45:24 +0000
Available diffs
- diff from 1:1.13.2-1 to 1:1.13.3-1 (1.2 MiB)
mediawiki (1:1.12.0-2ubuntu0.1) intrepid-security; urgency=low
* SECURITY UPDATE:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component. (LP: #290015)
- debian/patches/CVE-2008-4408.patch: Address XSS vulnerability. Based on
upstream/Debian patch.
- CVE-2008-4408
- http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=41540
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501115
-- Iain Lane <email address hidden> Mon, 27 Oct 2008 19:27:33 +0000
Available diffs
mediawiki (1:1.11.2-2ubuntu0.1) hardy-security; urgency=low
* SECURITY UPDATE:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component. (LP: #290015)
- debian/patches/CVE-2008-4408.patch: Address XSS vulnerability. Based on
upstream/Debian patch.
- CVE-2008-4408
- http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=41540
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501115
-- Iain Lane <email address hidden> Mon, 27 Oct 2008 20:17:44 +0000
Available diffs
| Superseded in jaunty-release |
mediawiki (1:1.13.2-1) unstable; urgency=low
* New upstream release
* Fix CVE-2008-4408: XSS in mediawiki:
"Cross-site scripting (XSS) vulnerability allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component."
Closes: #501115
Available diffs
- diff from 1:1.12.0-2 to 1:1.13.2-1 (7.4 MiB)
mediawiki (1:1.12.0-2) unstable; urgency=low * Fixed postgresql dependency Closes: #472987 * Added instructions to install and upgrade Closes: #472990, #472831
mediawiki (1:1.11.2-2) unstable; urgency=high * Added patch to fix pgsql select, thanks to Marc Dequènes Closes: #469841 * Upated README.Debian to mention php5-gd instead of php5-gd2 and texlive-latex-base instead to tetex-bin. Closes: #469558 * still setting urgency to high since previous upload didn't make it to testing.
| Superseded in hardy-release |
mediawiki (1:1.11.1-1) unstable; urgency=high
* New upstream release
* A potential XSS injection vector affecting
Microsoft Internet Explorer users has been
closed.
| Superseded in hardy-release |
mediawiki (1:1.11.0-2) unstable; urgency=low * Initial upload of 1.11.0 to unstable
mediawiki (1:1.10) unstable; urgency=low * Switched to mediawiki1.10 * Mediawiki1.10 recommends mediawiki-math (Closes: #428021) -- Michael Bienia <email address hidden> Fri, 10 Aug 2007 16:15:30 +0100
mediawiki (1:1.9) unstable; urgency=low * Switched to mediawiki1.9, closes: #392932 * Corrected typo in control, closes: #414121 * Seperated -math extension to a single package, closes: #401714 -- Ubuntu Archive Auto-Sync <email address hidden> Tue, 08 May 2007 07:57:27 +0100
| Obsolete in edgy-backports |
mediawiki (1:1.7~edgy1) edgy-backports; urgency=low * Automated backport upload; no source changes.
| Obsolete in dapper-backports |
mediawiki (1:1.7~dapper1) dapper-backports; urgency=low * Automated backport upload; no source changes.
mediawiki (1:1.7) unstable; urgency=low * Initial Release -- Ubuntu Archive Auto-Sync <email address hidden> Wed, 08 Nov 2006 17:16:11 +0000
mediawiki (1.4.15-1) unstable; urgency=high * New upstream security release.
mediawiki (1.4.14-1ubuntu1) dapper; urgency=low
* Added 03_config_fix.patch to fix symlink issue
(Closes: #30075)
-- Peter Savage <email address hidden> Wed, 12 Apr 2006 21:40:19 +0000
mediawiki (1.4.14-1) unstable; urgency=high * New upstream security release. * Removed 03_bad_version.patch. -- Marc Dequènes (Duck) <email address hidden> Thu, 19 Jan 2006 14:05:29 +0100
mediawiki (1.4.13-1) unstable; urgency=high
* New upstream security release (Closes: #345280).
* Exclude texvc/texvc.bc from dh_shlibdeps processing, it now
strangely fails (temporary solution for fast security upload,
further analisys later).
-- Marc Dequènes (Duck) <email address hidden> Sat, 7 Jan 2006 13:10:58 +0100
mediawiki (1.4.12-1) unstable; urgency=high
[ Marc Dequènes (Duck) ]
* New upstream security release.
* Bad version number in Special:Version page fixed by new upstream
release (Closes: #335177).
* Fixed configuration URL in 'debian/README.Debian' (Closes: #334131).
[ Romain Beauxis ]
* Build texvc bytecode on architectures where a native ocaml compiler
does not exist (and generate correct dependencies as well) (Closes:
#332531).
-- Marc Dequènes (Duck) <email address hidden> Fri, 4 Nov 2005 21:19:01 +0100
mediawiki (1.4.10-1) unstable; urgency=low * New upstream release * Fixed incorrect build dependencies -- Romain Beauxis <email address hidden> Sun, 25 Sep 2005 15:02:42 +0200
| 76 → 133 of 133 results | First • Previous • Next • Last |
