Accepted mediawiki 1:1.12.0-2lenny3~bpo40+1 (source all powerpc)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 07 Mar 2009 19:21:27 +0100
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all powerpc
Version: 1:1.12.0-2lenny3~bpo40+1
Distribution: etch-backports
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Gerfried Fuchs <rhonda@debian.at>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 508869 508870 514547
Changes:
mediawiki (1:1.12.0-2lenny3~bpo40+1) etch-backports; urgency=low
.
* Security rebuild for etch-backports to fix CVE-2008-5249, CVE-2008-5250,
CVE-2008-5252, CVE-2008-5687 and CVE-2009-0737.
.
mediawiki (1:1.12.0-2lenny3) testing-security; urgency=high
.
* Security upload.
* Applied changes from 1.12.4:
"A number of cross-site scripting (XSS) security vulnerabilities were
discovered in the web-based installer (config/index.php). These
vulnerabilities all require a live installer -- once the installer
has been used to install a wiki, it is deactivated."
Closes: #514547
.
mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high
.
* Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252
* debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
- Fixed output escaping for reporting of non-MediaWiki exceptions.
Potential XSS if an extension throws one of these with user input.
- Avoid fatal error in profileinfo.php when not configured.
- Fixed CSRF vulnerability in Special:Import. Fixed input validation in
transwiki import feature.
- Add a .htaccess to deleted images directory for additional protection
against exposure of deleted files with known SHA-1 hashes on default
installations.
- Fixed XSS vulnerability for Internet Explorer clients, via file uploads
which are interpreted by IE as HTML.
- Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
uploads are enabled. Firefox 1.5+ is affected.
- Avoid streaming uploaded files to the user via index.php. This allows
security-conscious users to serve uploaded files via a different domain,
and thus client-side scripts executed from that domain cannot access the
login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
- When streaming files via index.php, use the MIME type detected from the
file extension, not from the data. This reduces the XSS attack surface.
- Blacklist redirects via Special:Filepath. Such redirects exacerbate any
XSS vulnerabilities involving uploads of files containing scripts.
Closes: #508869, #508870
Files:
97fdf50b2a7020c0378c120e29fe7e38 832 web optional mediawiki_1.12.0-2lenny3~bpo40+1.dsc
b5b87cc0d3d3451a1e74a5b1bd3f4970 59276 web optional mediawiki_1.12.0-2lenny3~bpo40+1.diff.gz
a2f82e69243b3af358e4c389d57a5f9a 7186656 web optional mediawiki_1.12.0-2lenny3~bpo40+1_all.deb
32ba666f89126c9b9c8a7219d5b2e5b0 151944 web optional mediawiki-math_1.12.0-2lenny3~bpo40+1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmy42IACgkQELuA/Ba9d8bF7wCffbYChdk2WF8nYyo1JQ8fFOSq
qfIAoN5kXFyLPoZY9k2quPP+gHCvgoh/
=Yqw3
-----END PGP SIGNATURE-----
Accepted:
mediawiki-math_1.12.0-2lenny3~bpo40+1_powerpc.deb
to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny3~bpo40+1_powerpc.deb
mediawiki_1.12.0-2lenny3~bpo40+1.diff.gz
to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3~bpo40+1.diff.gz
mediawiki_1.12.0-2lenny3~bpo40+1.dsc
to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3~bpo40+1.dsc
mediawiki_1.12.0-2lenny3~bpo40+1_all.deb
to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3~bpo40+1_all.deb
Reply to: