[SRM] (again) Permission to upload mediawiki to stable

To: debian-release@lists.debian.org
Subject: [SRM] (again) Permission to upload mediawiki to stable
From: Jonathan Wiltshire <jmw@debian.org>
Date: Tue, 4 Jan 2011 23:18:58 +0000
Message-id: <[🔎] 20110104231858.GA17432@lupin.powdarrmonkey.net>

Hi,

mediawiki has another security vulnerability, this time CVE-2011-0003.

The debdiff for a stable update is attached, but it has the same po/* noise
as previously. Again, it's harmless re-ordering of the fields in some
files, which I'm inclined to blame on CDBS magic.

Changelog:

mediawiki (1:1.12.0-2lenny7) stable; urgency=high

  * Stable upload.
  * CVE-2011-0003: Minimise risk of clickjacking by denying
    framing on all pages except normal page views and a few
    selected special pages

and diffstat:

 debian/patches/CVE-2011-0003.patch     |   28 ++++++++++++++++++++++++++++
 mediawiki-1.12.0/debian/changelog      |    9 +++++++++
 mediawiki-1.12.0/debian/patches/series |    1 +
 mediawiki-1.12.0/debian/po/ar.po       |    2 +-
 mediawiki-1.12.0/debian/po/ca.po       |    2 +-
 mediawiki-1.12.0/debian/po/cs.po       |    2 +-
 mediawiki-1.12.0/debian/po/de.po       |    2 +-
 mediawiki-1.12.0/debian/po/es.po       |    5 +++--
 mediawiki-1.12.0/debian/po/eu.po       |    2 +-
 mediawiki-1.12.0/debian/po/fi.po       |    2 +-
 mediawiki-1.12.0/debian/po/fr.po       |    2 +-
 mediawiki-1.12.0/debian/po/gl.po       |    2 +-
 mediawiki-1.12.0/debian/po/it.po       |    2 +-
 mediawiki-1.12.0/debian/po/ja.po       |    2 +-
 mediawiki-1.12.0/debian/po/ml.po       |    2 +-
 mediawiki-1.12.0/debian/po/nl.po       |    2 +-
 mediawiki-1.12.0/debian/po/pt.po       |    2 +-
 mediawiki-1.12.0/debian/po/pt_BR.po    |    2 +-
 mediawiki-1.12.0/debian/po/ru.po       |    6 +++---
 mediawiki-1.12.0/debian/po/sk.po       |    2 +-
 mediawiki-1.12.0/debian/po/sv.po       |    2 +-
 mediawiki-1.12.0/debian/po/ta.po       |    2 +-
 mediawiki-1.12.0/debian/po/vi.po       |    2 +-
 23 files changed, 62 insertions(+), 23 deletions(-)

TIA,


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

diff -u mediawiki-1.12.0/debian/changelog mediawiki-1.12.0/debian/changelog
--- mediawiki-1.12.0/debian/changelog
+++ mediawiki-1.12.0/debian/changelog
@@ -1,3 +1,12 @@
+mediawiki (1:1.12.0-2lenny7) stable; urgency=high
+
+  * Stable upload.
+  * CVE-2011-0003: Minimise risk of clickjacking by denying
+    framing on all pages except normal page views and a few
+    selected special pages
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Tue, 04 Jan 2011 19:32:42 +0000
+
 mediawiki (1:1.12.0-2lenny6) stable; urgency=high
 
   * Stable upload. Closes: #591382
diff -u mediawiki-1.12.0/debian/po/gl.po mediawiki-1.12.0/debian/po/gl.po
--- mediawiki-1.12.0/debian/po/gl.po
+++ mediawiki-1.12.0/debian/po/gl.po
@@ -10,10 +10,10 @@
 "PO-Revision-Date: 2007-06-12 23:54+0200\n"
 "Last-Translator: Jacobo Tarrio <jtarrio@debian.org>\n"
 "Language-Team: Galician <proxecto@trasno.net>\n"
+"Language: gl\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: gl\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/ja.po mediawiki-1.12.0/debian/po/ja.po
--- mediawiki-1.12.0/debian/po/ja.po
+++ mediawiki-1.12.0/debian/po/ja.po
@@ -10,10 +10,10 @@
 "PO-Revision-Date: 2007-03-01 22:44+0900\n"
 "Last-Translator: Noritada Kobayashi <nori1@dolphin.c.u-tokyo.ac.jp>\n"
 "Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
+"Language: ja\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: ja\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/fi.po mediawiki-1.12.0/debian/po/fi.po
--- mediawiki-1.12.0/debian/po/fi.po
+++ mediawiki-1.12.0/debian/po/fi.po
@@ -6,10 +6,10 @@
 "PO-Revision-Date: 2007-12-18 22:37+0200\n"
 "Last-Translator: Esko Arajärvi <edu@iki.fi>\n"
 "Language-Team: Finnish <debian-l10n-finnish@lists.debian.org>\n"
+"Language: fi\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: fi\n"
 "X-Poedit-Language: Finnish\n"
 "X-Poedit-Country: Finland\n"
 
diff -u mediawiki-1.12.0/debian/po/ta.po mediawiki-1.12.0/debian/po/ta.po
--- mediawiki-1.12.0/debian/po/ta.po
+++ mediawiki-1.12.0/debian/po/ta.po
@@ -11,10 +11,10 @@
 "PO-Revision-Date: 2007-06-13 14:19+0530\n"
 "Last-Translator: Dr.T.Vasudevan <agnihot3@gmail.com>\n"
 "Language-Team: TAMIL <ubuntu-l10n-tam@lists.ubuntu.com>\n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: \n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/nl.po mediawiki-1.12.0/debian/po/nl.po
--- mediawiki-1.12.0/debian/po/nl.po
+++ mediawiki-1.12.0/debian/po/nl.po
@@ -11,10 +11,10 @@
 "PO-Revision-Date: 2007-06-01 13:32+0100\n"
 "Last-Translator: Bart Cornelis <cobaco@linux.be>\n"
 "Language-Team: debian-l10n-dutch <debian-l10n-dutch@lists.debian.org>\n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: \n"
 "X-Poedit-Language: Dutch\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/sv.po mediawiki-1.12.0/debian/po/sv.po
--- mediawiki-1.12.0/debian/po/sv.po
+++ mediawiki-1.12.0/debian/po/sv.po
@@ -18,10 +18,10 @@
 "PO-Revision-Date: 2007-06-01 09:59+0100\n"
 "Last-Translator: Daniel Nylander <po@danielnylander.se>\n"
 "Language-Team: Swedish <debian-l10n-swedish@lists.debian.org>\n"
+"Language: sv\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=iso-8859-1\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: sv\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/cs.po mediawiki-1.12.0/debian/po/cs.po
--- mediawiki-1.12.0/debian/po/cs.po
+++ mediawiki-1.12.0/debian/po/cs.po
@@ -19,10 +19,10 @@
 "PO-Revision-Date: 2007-06-13 00:18+0200\n"
 "Last-Translator: Vitezslav Kotrla <vitko@post.cz>\n"
 "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
+"Language: cs\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: cs\n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/pt.po mediawiki-1.12.0/debian/po/pt.po
--- mediawiki-1.12.0/debian/po/pt.po
+++ mediawiki-1.12.0/debian/po/pt.po
@@ -10,10 +10,10 @@
 "PO-Revision-Date: 2007-04-30 23:40+0100\n"
 "Last-Translator: Luísa Lourenço <kikentai@gmail.com>\n"
 "Language-Team: Native Portuguese <traduz@debianpt.org>\n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: \n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/de.po mediawiki-1.12.0/debian/po/de.po
--- mediawiki-1.12.0/debian/po/de.po
+++ mediawiki-1.12.0/debian/po/de.po
@@ -11,10 +11,10 @@
 "PO-Revision-Date: 2007-06-12 21:00+0200\n"
 "Last-Translator: Helge Kreutzmann <debian@helgefjell.de>\n"
 "Language-Team: German <debian-l10n-german@lists.debian.org>\n"
+"Language: de\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=ISO-8859-15\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: de\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/es.po mediawiki-1.12.0/debian/po/es.po
--- mediawiki-1.12.0/debian/po/es.po
+++ mediawiki-1.12.0/debian/po/es.po
@@ -40,10 +40,10 @@
 "PO-Revision-Date: 2007-06-13 22:40+0200\n"
 "Last-Translator: Javier Fernández-Sanguino <jfs@debian.org>\n"
 "Language-Team: Debian Spanish <debian-l10n-spanish@lists.debian.org>\n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: \n"
 "com>\n"
 
 #. Type: multiselect
@@ -170 +170,2 @@
-#~ "por si acaso esto fallara, que también está disponible en «/etc/mediawiki»."
+#~ "por si acaso esto fallara, que también está disponible en «/etc/"
+#~ "mediawiki»."
diff -u mediawiki-1.12.0/debian/po/ml.po mediawiki-1.12.0/debian/po/ml.po
--- mediawiki-1.12.0/debian/po/ml.po
+++ mediawiki-1.12.0/debian/po/ml.po
@@ -11,10 +11,10 @@
 "Last-Translator: Sreerenj B<bsreerenj@gmail.com>\n"
 "Language-Team: Swathanthra|സ്വതന്ത്ര Malayalam|മലയാളം Computing|കമ്പ്യൂട്ടിങ്ങ് <smc-"
 "discuss@googlegroups.com>\n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: \n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/pt_BR.po mediawiki-1.12.0/debian/po/pt_BR.po
--- mediawiki-1.12.0/debian/po/pt_BR.po
+++ mediawiki-1.12.0/debian/po/pt_BR.po
@@ -11,10 +11,10 @@
 "PO-Revision-Date: 2007-04-09 00:44-0300\n"
 "Last-Translator: Felipe Augusto van de Wiel (faw) <faw@debian.org>\n"
 "Language-Team: l10n portuguese <debian-l10n-portuguese@lists.debian.org>\n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: \n"
 "pt_BR utf-8\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/sk.po mediawiki-1.12.0/debian/po/sk.po
--- mediawiki-1.12.0/debian/po/sk.po
+++ mediawiki-1.12.0/debian/po/sk.po
@@ -6,10 +6,10 @@
 "PO-Revision-Date: 2007-08-13 02:41+0100\n"
 "Last-Translator: Ivan Masár <helix84@centrum.sk>\n"
 "Language-Team: Slovak <sk-i18n@lists.linux.sk>\n"
+"Language: sk\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: sk\n"
 "X-Poedit-Language: Slovak\n"
 "X-Poedit-Country: SLOVAKIA\n"
 
diff -u mediawiki-1.12.0/debian/po/ca.po mediawiki-1.12.0/debian/po/ca.po
--- mediawiki-1.12.0/debian/po/ca.po
+++ mediawiki-1.12.0/debian/po/ca.po
@@ -14,10 +14,10 @@
 "PO-Revision-Date: 2007-04-21 21:36+0200\n"
 "Last-Translator: Álvaro Martínez Majado <alvaro_m@users.sourceforge.net>\n"
 "Language-Team: Catalan <debian-l10n-catalan@lists.debian.org>\n"
+"Language: ca\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: ca\n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/vi.po mediawiki-1.12.0/debian/po/vi.po
--- mediawiki-1.12.0/debian/po/vi.po
+++ mediawiki-1.12.0/debian/po/vi.po
@@ -10,10 +10,10 @@
 "PO-Revision-Date: 2007-06-14 16:36+0930\n"
 "Last-Translator: Clytie Siddall <clytie@riverland.net.au>\n"
 "Language-Team: Vietnamese <vi-VN@googlegroups.com>\n"
+"Language: vi\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: vi\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
 "X-Generator: LocFactoryEditor 1.6.3b1\n"
 
diff -u mediawiki-1.12.0/debian/po/fr.po mediawiki-1.12.0/debian/po/fr.po
--- mediawiki-1.12.0/debian/po/fr.po
+++ mediawiki-1.12.0/debian/po/fr.po
@@ -10,10 +10,10 @@
 "PO-Revision-Date: 2007-06-02 21:46+0200\n"
 "Last-Translator: laurent gabriel <lixin-anyuan@freesurf.ch>\n"
 "Language-Team:  <debian-l10n-french@lists.debian.org>\n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: \n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/ru.po mediawiki-1.12.0/debian/po/ru.po
--- mediawiki-1.12.0/debian/po/ru.po
+++ mediawiki-1.12.0/debian/po/ru.po
@@ -11,13 +11,13 @@
 "PO-Revision-Date: 2007-06-17 17:56+0400\n"
 "Last-Translator: Yuri Kozlov <kozlov.y@gmail.com>\n"
 "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
+"Language: ru\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: ru\n"
 "X-Generator: KBabel 1.11.4\n"
-"Plural-Forms:  nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%"
-"10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
+"Plural-Forms:  nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
+"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/eu.po mediawiki-1.12.0/debian/po/eu.po
--- mediawiki-1.12.0/debian/po/eu.po
+++ mediawiki-1.12.0/debian/po/eu.po
@@ -11,10 +11,10 @@
 "PO-Revision-Date: 2007-05-31 22:56+0200\n"
 "Last-Translator: Piarres Beobide <pi@beobide.net>\n"
 "Language-Team: Euskara <Librezale@librezale.org>\n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: \n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/it.po mediawiki-1.12.0/debian/po/it.po
--- mediawiki-1.12.0/debian/po/it.po
+++ mediawiki-1.12.0/debian/po/it.po
@@ -11,10 +11,10 @@
 "PO-Revision-Date: 2007-06-23 11:52+0200\n"
 "Last-Translator: Luca Monducci <luca.mo@tiscali.it>\n"
 "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
+"Language: it\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: it\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/ar.po mediawiki-1.12.0/debian/po/ar.po
--- mediawiki-1.12.0/debian/po/ar.po
+++ mediawiki-1.12.0/debian/po/ar.po
@@ -21,10 +21,10 @@
 "PO-Revision-Date: 2007-06-13 12:40+0300\n"
 "Last-Translator: Ossama M. Khayat <okhayat@yahoo.com>\n"
 "Language-Team: Arabic <support@arabeyes.org>\n"
+"Language: ar\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Language: ar\n"
 "X-Generator: KBabel 1.11.4\n"
 "Plural-Forms: nplurals=6; plural=n==1 ? 0 : n==0 ? 1 : n==2 ? 2: n%100>=3 && "
 "n%100<=10 ? 3 : n%100>=11 && n%100<=99 ? 4 : 5\n"
diff -u mediawiki-1.12.0/debian/patches/series mediawiki-1.12.0/debian/patches/series
--- mediawiki-1.12.0/debian/patches/series
+++ mediawiki-1.12.0/debian/patches/series
@@ -13,0 +14 @@
+CVE-2011-0003.patch
only in patch2:
unchanged:
--- mediawiki-1.12.0.orig/debian/patches/CVE-2011-0003.patch
+++ mediawiki-1.12.0/debian/patches/CVE-2011-0003.patch
@@ -0,0 +1,28 @@
+Description: prevent ClickJacking by breaking out of iframes
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
+Author: Tim Starling
+Last-Update: 2011-01-04
+
+--- mediawiki-1.12.0.orig/config/index.php
++++ mediawiki-1.12.0/config/index.php
+@@ -21,6 +21,7 @@
+ 
+ error_reporting( E_ALL );
+ header( "Content-type: text/html; charset=utf-8" );
++header( 'X-Frame-Options: DENY' );
+ @ini_set( "display_errors", true );
+ 
+ # In case of errors, let output be clean.
+--- mediawiki-1.12.0.orig/includes/OutputPage.php
++++ mediawiki-1.12.0/includes/OutputPage.php
+@@ -717,6 +717,9 @@
+ 		$wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
+ 		$wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
+ 
++		# To prevent clickjacking, do not allow this page to be inside a frame.
++		$wgRequest->response()->header( 'X-Frame-Options: DENY' );
++
+ 		if ($this->mArticleBodyOnly) {
+ 			$this->out($this->mBodytext);
+ 		} else {

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [SRM] (again) Permission to upload mediawiki to stable
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Bug#608572: marked as done (unblock: console-setup/1.67)
Next by Date: Re: Accepted bup 0.17b-2squeeze1 (source i386)
Previous by thread: Re: Permission to upload PokerTH 0.7.1-2 for Squeeze
Next by thread: Re: [SRM] (again) Permission to upload mediawiki to stable
Index(es):
- Date
- Thread