Bug#656815: pu: package mediawiki/1:1.15.5-2squeeze3
Package: release.debian.org
Severity: important
User: release.debian.org@packages.debian.org
Usertags: pu
(severity important because of the regression)
Testing has shown that the fix for CVE-2011-4360 introduces a regression:
in some situations, an error is returned instead of a login prompt. Moreover,
the Debian package seems not to disclose information as described by the CVE.
For this reason I would like to get a fix into this point release rather
than waiting for the next. I realise the window technically closes this weekend
and I'm sorry for the late notice.
Debdiff attached, it's a one line change that just disables the patch in the
quilt series file.
Thanks
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru mediawiki-1.15.5/debian/changelog mediawiki-1.15.5/debian/changelog
--- mediawiki-1.15.5/debian/changelog 2012-01-13 10:55:12.000000000 +0000
+++ mediawiki-1.15.5/debian/changelog 2012-01-21 21:08:01.000000000 +0000
@@ -1,3 +1,10 @@
+mediawiki (1:1.15.5-2squeeze4) stable; urgency=low
+
+ * Disable CVE-2011-4360.patch, it causes ugly error messages in certain
+ situations. The CVE does not apply to this release.
+
+ -- Jonathan Wiltshire <jmw@debian.org> Sat, 21 Jan 2012 20:59:36 +0000
+
mediawiki (1:1.15.5-2squeeze3) stable; urgency=low
* debian/patches/CVE-2012-0046.patch: security fix for unintended exposure
diff -Nru mediawiki-1.15.5/debian/patches/series mediawiki-1.15.5/debian/patches/series
--- mediawiki-1.15.5/debian/patches/series 2012-01-13 10:12:04.000000000 +0000
+++ mediawiki-1.15.5/debian/patches/series 2012-01-21 20:57:43.000000000 +0000
@@ -11,6 +11,5 @@
CVE-2011-1579.patch
CVE-2011-1580.patch
CVE-2011-1587.patch
-CVE-2011-4360.patch
CVE-2011-4361.patch
CVE-2012-0046.patch
Reply to: