-
mediawiki (1:1.15.1-1ubuntu2.1) lucid-security; urgency=low
* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
interface. Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset features were not
protected from CSRF. This could lead to unauthorised access to private
wikis. (LP: #586773)
- debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
- patch from upstream SVN rev. 66991
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. (LP: #586773)
- debian/patches/XSS-IE-no-CVE_rev-66992.patch
- patch from upstream SVN rev. 66992
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
-- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:49:12 +0200
-
mediawiki (1:1.15.1-1ubuntu2) lucid; urgency=low
* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
attacker who controls a user account on the target wiki can force the
victim to login as the attacker, via a script on an external website.
IMPORTANT: Fix includes a breaking change to the API login action. Any
clients using it will need to be updated. (LP: #557159)
- debian/patches/CSRF-no-CVE_rev-64680.patch
- patch from upstream SVN rev. 64680
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
-- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:46:10 +0200
-
mediawiki (1:1.15.1-1ubuntu1) lucid; urgency=low
* SECURITY UPDATE: CSS validation issue allowing external images to be included
into wikis where that is disallowed by conf. (LP: #537974)
- debian/patches/CSS-no-CVE_rev-63429.patch
- patch from upstream SVN rev. 63429
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
* SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
which restrict access to private files using eg. img_auth.php.
- debian/patches/DataLeakage-no-CVE_rev-63436.patch
- patch from upstream SVN rev. 63436
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
-- Andreas Wenning <email address hidden> Fri, 12 Mar 2010 12:06:25 +0100
-
mediawiki (1:1.15.1-1) unstable; urgency=low
* New upstream release.
* Ack previous NMU, thanks to Nico Golde for taking care
of this.
-- Ubuntu Archive Auto-Sync <email address hidden> Thu, 05 Nov 2009 10:40:04 +0000
-
mediawiki (1:1.15.0-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cross-site scripting in [[Special:Block]]
(No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
-- Andreas Wenning <email address hidden> Mon, 27 Jul 2009 16:39:30 +0100