Ubuntu
mediawiki package

Change logs for mediawiki source package in Karmic

Karmic (9.10)
Change log

mediawiki (1:1.15.0-1.1ubuntu0.4) karmic-security; urgency=low

  * SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
    which restrict access to private files using eg. img_auth.php.
    - CVE-2010-1190
    - debian/patches/DataLeakage-CVE-2010-1190.patch
    - patch from upstream SVN rev. 63436
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
    - LP: #603740
 -- Andreas Wenning <email address hidden>   Fri, 09 Jul 2010 22:23:06 +0200

mediawiki (1:1.15.0-1.1ubuntu0.3) karmic-security; urgency=low

  * SECURITY UPDATE: A CSRF vulnerability was discovered in our login
    interface. Although regular logins are protected as of 1.15.3, it was
    discovered that the account creation and password reset features were not
    protected from CSRF. This could lead to unauthorised access to private
    wikis. (LP: #586773)
    - debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
    - patch from upstream SVN rev. 66991
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
  * SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
    allows attackers to construct CSS strings which are treated as safe by
    previous versions of MediaWiki, but are decoded to unsafe strings by
    Internet Explorer. (LP: #586773)
    - debian/patches/XSS-IE-no-CVE_rev-66992.patch
    - patch from upstream SVN rev. 66992
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
 -- Andreas Wenning <email address hidden>   Mon, 31 May 2010 00:48:35 +0200

mediawiki (1:1.15.0-1.1ubuntu0.2) karmic-security; urgency=low

  * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
    attacker who controls a user account on the target wiki can force the
    victim to login as the attacker, via a script on an external website.
    IMPORTANT: Fix includes a breaking change to the API login action. Any
    clients using it will need to be updated. (LP: #557159)
    - debian/patches/CSRF-no-CVE_rev-64680.patch
    - patch from upstream SVN rev. 64680
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
    - CVE-2010-1150
 -- Andreas Wenning <email address hidden>   Wed, 07 Apr 2010 11:52:21 +0200

mediawiki (1:1.15.0-1.1ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE: CSS validation issue allowing external images to be included
    into wikis where that is disallowed by conf. (LP: #537974)
    - debian/patches/CSS-no-CVE_rev-63429.patch
    - patch from upstream SVN rev. 63429
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
 -- Andreas Wenning <email address hidden>   Fri, 12 Mar 2010 11:53:47 +0100

mediawiki (1:1.15.0-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix cross-site scripting in [[Special:Block]]
    (No CVE id yet; XSS-no-CVE.patch; Closes: #537634).

 -- Andreas Wenning <email address hidden>   Mon,  27 Jul 2009 16:39:30 +0100

mediawiki (1:1.15.0-1) unstable; urgency=low

  * New upstream release. 
  * Upstream added support for OASIS documents.
  Closes: #530328
  * Refreshed quilt patches
  * Bumped standards versions to 3.8.2
  * Bumped compat to 7
  * Pointed to GPL-2 in debian/copyright
  * Added php5-sqlite to possible DB backend dependencies.
  Closes: #501569
  * Proofread README.Debian, upgrade is documented there.
  Closes: #520121

 -- Bhavani Shankar <email address hidden>   Mon,  06 Jul 2009 18:29:48 +0100

mediawiki (1:1.14.0-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
    - Add debian/patches/add-OOo-Mimetypes.diff

 -- Andreas Wenning <email address hidden>   Wed, 29 Apr 2009 06:23:20 +0200

mediawiki (1:1.13.3-1ubuntu2) jaunty; urgency=low

  * SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
    the web-based installer (config/index.php). (LP: #348858)
    - CVE-2009-0737
    - debian/patches/CVE-2009-0737.patch
    - patch based on upstream patches for 1.13.4 and 1.13.5
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html

 -- Andreas Wenning <email address hidden>   Thu, 26 Mar 2009 09:25:16 +0100

Ubuntumediawiki package

Change logs for mediawiki source package in Karmic

Ubuntu
mediawiki package