-
mediawiki (1:1.11.2-2ubuntu0.7) hardy-security; urgency=low
* SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
which restrict access to private files using eg. img_auth.php.
- CVE-2010-1190
- debian/patches/DataLeakage-CVE-2010-1190.patch
- patch based on upstream SVN rev. 63436
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
- LP: #603740
-- Andreas Wenning <email address hidden> Fri, 09 Jul 2010 22:38:34 +0200
-
mediawiki (1:1.11.2-2ubuntu0.6) hardy-security; urgency=low
* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
interface. Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset features were not
protected from CSRF. This could lead to unauthorised access to private
wikis. (LP: #586773)
- debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
- patch from upstream SVN rev. 66991
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. (LP: #586773)
- debian/patches/XSS-IE-no-CVE_rev-66992.patch
- patch from upstream SVN rev. 66992
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
-- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:45:24 +0200
-
mediawiki (1:1.11.2-2ubuntu0.5) hardy-security; urgency=low
* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
attacker who controls a user account on the target wiki can force the
victim to login as the attacker, via a script on an external website.
IMPORTANT: Fix includes a breaking change to the API login action. Any
clients using it will need to be updated. (LP: #557159)
- debian/patches/CSRF-no-CVE_rev-64680.patch
- patch based on upstream SVN rev. 64680
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
- CVE-2010-1150
-- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 12:08:55 +0200
-
mediawiki (1:1.11.2-2ubuntu0.4) hardy-security; urgency=low
* SECURITY UPDATE: CSS validation issue allowing external images to be included
into wikis where that is disallowed by conf. (LP: #537974)
- debian/patches/CSS-no-CVE_rev-63429.patch
- patch based on upstream SVN rev. 63429
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
* Fix regression in CVE-2009-0737.patch, where the database-specific options
will not be shown by default when installing mediawiki. (LP: #539697)
-- Andreas Wenning <email address hidden> Tue, 16 Mar 2010 18:43:48 +0100
-
mediawiki (1:1.11.2-2ubuntu0.3) hardy-security; urgency=low
* SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
the web-based installer (config/index.php). (LP: #348858)
- CVE-2009-0737
- debian/patches/CVE-2009-0737.patch
- patch based on Debian patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html
-- Andreas Wenning <email address hidden> Thu, 26 Mar 2009 09:55:33 +0100
-
mediawiki (1:1.11.2-2ubuntu0.2) hardy-security; urgency=low
* SECURITY UPDATE:
- CVE-2008-5249
- CVE-2008-5250
- CVE-2008-5252
- other security-related problems (see full patch description).
- patch based on Debian patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508870
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508869
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
* debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
- Fixed output escaping for reporting of non-MediaWiki exceptions.
Potential XSS if an extension throws one of these with user input.
- Avoid fatal error in profileinfo.php when not configured.
- Fixed CSRF vulnerability in Special:Import. Fixed input validation in
transwiki import feature.
- Add a .htaccess to deleted images directory for additional protection
against exposure of deleted files with known SHA-1 hashes on default
installations.
- Fixed XSS vulnerability for Internet Explorer clients, via file uploads
which are interpreted by IE as HTML.
- Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
uploads are enabled. Firefox 1.5+ is affected.
- Avoid streaming uploaded files to the user via index.php. This allows
security-conscious users to serve uploaded files via a different domain,
and thus client-side scripts executed from that domain cannot access the
login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
- When streaming files via index.php, use the MIME type detected from the
file extension, not from the data. This reduces the XSS attack surface.
- Blacklist redirects via Special:Filepath. Such redirects exacerbate any
XSS vulnerabilities involving uploads of files containing scripts.
-- Andreas Wenning <email address hidden> Sun, 01 Feb 2009 08:50:19 +0100
-
mediawiki (1:1.11.2-2ubuntu0.1) hardy-security; urgency=low
* SECURITY UPDATE:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component. (LP: #290015)
- debian/patches/CVE-2008-4408.patch: Address XSS vulnerability. Based on
upstream/Debian patch.
- CVE-2008-4408
- http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=41540
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501115
-- Iain Lane <email address hidden> Mon, 27 Oct 2008 20:17:44 +0000
-
mediawiki (1:1.11.2-2) unstable; urgency=high
* Added patch to fix pgsql select, thanks to Marc Dequènes
Closes: #469841
* Upated README.Debian to mention php5-gd instead of php5-gd2
and texlive-latex-base instead to tetex-bin.
Closes: #469558
* still setting urgency to high since previous upload didn't make it
to testing.
mediawiki (1:1.11.2-1) unstable; urgency=high
* New upstream release
* Security fix:
"Possible cross-site information leaks using the callback
parameter for JSON-formatted results in the API are prevented by
dropping user credentials."
* Added informations on LocalSettings.php in README.Debian
Closes: #462609
-- William Grant <email address hidden> Mon, 03 Mar 2008 13:58:57 +0100
-
mediawiki (1:1.11.1-1) unstable; urgency=high
* New upstream release
* A potential XSS injection vector affecting
Microsoft Internet Explorer users has been
closed.
mediawiki (1:1.11.0-4) unstable; urgency=low
* Really add the patch for #459312
* Added also patch to fix #459617
Closes: #459617
* Merged two previous patches
mediawiki (1:1.11.0-3) unstable; urgency=low
* Really remove debian specific scripts
* Backported patch to fix unserialize with postgre
Closes: #459312
* Added finnish translation of the debconf templates, thanks to Esko
Arajärvi. Closes: #456983
* Updated standards to 3.7.3 (no changes)
-- Michael Bienia <email address hidden> Tue, 05 Feb 2008 00:24:07 +0000
-
mediawiki (1:1.11.0-2) unstable; urgency=low
* Initial upload of 1.11.0 to unstable
mediawiki (1:1.11.0-1) experimental; urgency=low
* Removed mediawikiX versioned packages
* Updated to mediawiki 1.11
* Removed automatic upgrade script
* Updated README.Debian (Closes: #442311, #442302)
* Changed default upload directory (Closes: #444445)
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 05 Nov 2007 19:29:38 +0000
-
mediawiki (1:1.10) unstable; urgency=low
* Switched to mediawiki1.10
* Mediawiki1.10 recommends mediawiki-math (Closes: #428021)
-- Michael Bienia <email address hidden> Fri, 10 Aug 2007 16:15:30 +0100
