Your message dated Sun, 30 Dec 2012 16:43:24 +0000 with message-id <1356885804.4281.43.camel@jacala.jungle.funky-badger.org> and subject line Re: Bug#696999: [adam@adam-barratt.org.uk: Re: Bug#696999: unblock: mediawiki-extensions/2.11] has caused the Debian Bug report #696999, regarding unblock: mediawiki-extensions/2.11 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 696999: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696999 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: mediawiki-extensions/2.11
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Sun, 30 Dec 2012 15:55:23 +0000
- Message-id: <[🔎] 20121230155523.GE5438@ernie.home.powdarrmonkey.net>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock mediawiki-extensions to fix the security bug #696179 (no CVE has been assigned yet). This resolves an XSS attack on any user of a wiki importing a malicious RSS feed (insufficient escaping). It has been uploaded as urgency=medium but could be aged to high if you wish. Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 <directhex> i have six years of solaris sysadmin experience, from 8->10. i am well qualified to say it is made from bonghits layered on top of bonghitsAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Thorsten Glaser <tg@mirbsd.de>, 696999-done@bugs.debian.org
- Cc: pkg-mediawiki@lists.alioth.debian.org
- Subject: Re: Bug#696999: [adam@adam-barratt.org.uk: Re: Bug#696999: unblock: mediawiki-extensions/2.11]
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sun, 30 Dec 2012 16:43:24 +0000
- Message-id: <1356885804.4281.43.camel@jacala.jungle.funky-badger.org>
- In-reply-to: <[🔎] Pine.BSM.4.64L.1212301632050.18561@herc.mirbsd.org>
- References: <20121230162702.GG5438@ernie.home.powdarrmonkey.net> <[🔎] Pine.BSM.4.64L.1212301632050.18561@herc.mirbsd.org>
On Sun, 2012-12-30 at 16:33 +0000, Thorsten Glaser wrote: > Jonathan Wiltshire dixit: > > >Any idea what the comment in > > > >++ array('a', /* does not work */ 'img'))); > > > >is about? > > The MediaWiki HTML sanitiser accepts an array of tags to also > accept in the output. I’ve tried whitelisting 'a' and 'img', > but the latter does not currently work. I hope this will be > addressed in a future version of MediaWiki (actually, I could > probably cook up a patch), and right now, its presence there > is a nop. Hmmm, okay. Unblocked. Regards, Adam
--- End Message ---