[Pkg-mediawiki-commits] r285 - in mediawiki/tags: . 1:1.15.5-2squeeze2/debian 1:1.15.5-2squeeze2/debian/patches
Jonathan Wiltshire
jmw at alioth.debian.org
Sun Dec 18 23:43:37 UTC 2011
Author: jmw
Date: 2011-12-18 23:43:37 +0000 (Sun, 18 Dec 2011)
New Revision: 285
Added:
mediawiki/tags/1:1.15.5-2squeeze2/
mediawiki/tags/1:1.15.5-2squeeze2/debian/changelog
mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1578.patch
mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1579.patch
mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1580.patch
mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1587.patch
mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/series
Removed:
mediawiki/tags/1:1.15.5-2squeeze2/debian/changelog
mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/series
Log:
[svn-buildpackage] Tagging mediawiki 1:1.15.5-2squeeze2
Deleted: mediawiki/tags/1:1.15.5-2squeeze2/debian/changelog
===================================================================
--- mediawiki/squeeze/debian/changelog 2011-12-05 22:14:51 UTC (rev 273)
+++ mediawiki/tags/1:1.15.5-2squeeze2/debian/changelog 2011-12-18 23:43:37 UTC (rev 285)
@@ -1,343 +0,0 @@
-mediawiki (1:1.15.5-2squeeze2) UNRELEASED; urgency=low
-
- * Security fixes from upstream (Closes: #650434):
- CVE-2011-4360 - page titles on private wikis could be exposed
- bypassing different page ids to index.php
- CVE-2011-4361 - action=ajax requests were dispatched to the
- relevant function without any read permission checks being done
-
- -- Jonathan Wiltshire <jmw at debian.org> Thu, 01 Dec 2011 10:50:30 +0000
-
-mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
-
- * CVE-2011-0047: Protect against a CSS injection vulnerability
- (closes: #611787)
-
- -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Sun, 06 Feb 2011 13:45:39 +0000
-
-mediawiki (1:1.15.5-2) testing-security; urgency=high
-
- * CVE-2011-0003: Protect against clickjacking by sending the
- X-Frame-Options header in all pages (except normal page views
- and a few selected special pages). Patch as released by upstream
-
- -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Tue, 04 Jan 2011 22:39:26 +0000
-
-mediawiki (1:1.15.5-1) unstable; urgency=high
-
- [ Thorsten Glaser ]
- * debian/patches/suppress_warnings.patch: new, suppress warnings
- about session_start() being called twice also in the PHP error
- log, not just MediaWiki’s, for example run from FusionForge
-
- [ Jonathan Wiltshire ]
- * New upstream security release:
- - correctly set caching headers to prevent private data leakage
- (closes: #590660, LP: #610782)
- - fix XSS vulnerability in profileinfo.php
- (closes: #590669, LP: #610819)
-
- -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Wed, 28 Jul 2010 12:23:04 +0100
-
-mediawiki (1:1.15.4-2) unstable; urgency=low
-
- [ Thorsten Glaser ]
- * debian/control: add Vcs-SVN and Vcs-Browser
-
- [ Jonathan Wiltshire ]
- * debian/source/format: Switch to source format 3.0 (quilt)
- * debian/rules: Drop CDBS quilt logic
- * debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
- remove the original definition (LP: #406358)
- * debian/README.source: document use of quilt and format 3.0 (quilt)
- * New patch backup_documentation.patch improves documentation of
- maintenance/dumpBackup.php (closes: #572355)
- * Standards version 3.9.0 (no changes)
-
- -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Tue, 29 Jun 2010 14:20:35 +0100
-
-mediawiki (1:1.15.4-1) unstable; urgency=high
-
- [ Jonathan Wiltshire ]
- * New upstream security release (closes: #585918).
- * CVE-2010-1647:
- Fix a cross-site scripting (XSS) vulnerability which allows
- remote attackers to inject arbitrary web script or HTML via crafted
- Cascading Style Sheets (CSS) strings that are processed as script by
- Internet Explorer.
- * CVE-2010-1648:
- Fix a cross-site request forgery (CSRF) vulnerability in the login interface
- which allows remote attackers to hijack the authentication of users for
- requests that (1) create accounts or (2) reset passwords, related to the
- Special:Userlogin form.
-
- [ Romain Beauxis ]
- * Put debian's package version in declared version.
- Should help sysadmins to keep track of installed
- versions, in particular with regard to security
- updates.
- * Added Jonathan Wiltshire to uploaders.
- * Do not clan math dir if it does not exist (for instance
- when running clean from SVN).
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 21 Jun 2010 23:41:29 +0200
-
-mediawiki (1:1.15.3-1) unstable; urgency=high
-
- * New upstream release.
- * Fixes security issue:
- "MediaWiki was found to be vulnerable to login CSRF. An attacker who
- controls a user account on the target wiki can force the victim to log
- in as the attacker, via a script on an external website. If the wiki is
- configured to allow user scripts, say with "$wgAllowUserJs = true" in
- LocalSettings.php, then the attacker can proceed to mount a
- phishing-style attack against the victim to obtain their password."
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 16 Apr 2010 14:44:09 -0500
-
-mediawiki (1:1.15.2-1) unstable; urgency=high
-
- * New upstream release.
- * Fixes security issue:
- "Two security issues were discovered:
-
- A CSS validation issue was discovered which allows editors to display
- external images in wiki pages. This is a privacy concern on public
- wikis, since a malicious user may link to an image on a server they
- control, which would allow that attacker to gather IP addresses and
- other information from users of the public wiki. All sites running
- publicly-editable MediaWiki installations are advised to upgrade. All
- versions of MediaWiki (prior to this one) are affected.
-
- A data leakage vulnerability was discovered in thumb.php which affects
- wikis which restrict access to private files using img_auth.php, or
- some similar scheme. All versions of MediaWiki since 1.5 are affected."
- * Updated standards.
- * Removed section about upgrading from mediawiki1.x packages
- in README.Debian since they do not exist in any supported distribution
- anymore.
- * Switched php5-gd and imagemagick in Suggests. Closes: #542008
- * Backported patch from revision 51083 to fix a bug with invalid titles.
- Closes: #537134
- * Backported patch from revision 61090 to add a unique guid per RSS
- feed element.
- Closes: #383130
- * Refreshed patches.
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 15 Mar 2010 11:41:07 -0500
-
-mediawiki (1:1.15.1-1) unstable; urgency=low
-
- * New upstream release.
- * Ack previous NMU, thanks to Nico Golde for taking care
- of this.
-
- -- Romain Beauxis <toots at rastageeks.org> Sun, 09 Aug 2009 10:46:41 -0500
-
-mediawiki (1:1.15.0-1.1) unstable; urgency=high
-
- * Non-maintainer upload by the Security Team.
- * Fix cross-site scripting in [[Special:Block]]
- (No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
-
- -- Nico Golde <nion at debian.org> Sun, 26 Jul 2009 18:11:07 +0200
-
-mediawiki (1:1.15.0-1) unstable; urgency=low
-
- * New upstream release.
- * Upstream added support for OASIS documents.
- Closes: #530328
- * Refreshed quilt patches
- * Bumped standards versions to 3.8.2
- * Bumped compat to 7
- * Pointed to GPL-2 in debian/copyright
- * Added php5-sqlite to possible DB backend dependencies.
- Closes: #501569
- * Proofread README.Debian, upgrade is documented there.
- Closes: #520121
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 19 Jun 2009 01:38:50 +0200
-
-mediawiki (1:1.14.0-1) unstable; urgency=low
-
- * New upstream release.
- * Fixed issues in the installer:
- "A number of cross-site scripting (XSS) security vulnerabilities were
- discovered in the web-based installer (config/index.php).
- These vulnerabilities all require a live installer once the installer
- has been used to install a wiki, it is deactivated.
-
- Note that cross-site scripting vulnerabilities can be used to attack
- any website in the same cookie domain. So if you have an uninstalled
- copy of MediaWiki on the same site as an active web service, MediaWiki
- could be used to attack the active service."
- Closes: #514547
- * Fixed typo in README.Debian
- Closes: #515192
- * Updated japanese debconf translation, thanks to Hideki Yamane
- Closes: #510896
- * Added a file in debian/copyright
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 06 Mar 2009 20:29:17 +0100
-
-mediawiki (1:1.13.3-1) unstable; urgency=low
-
- * New upstream release.
- * Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
- "An XSS vulnerability affecting all MediaWiki installations between
- 1.13.0 and 1.13.2."
- Closes: #508868
- * Fix CVE-2008-5250: several local script injection vulnerabilities
- in MediaWiki:
- "o A local script injection vulnerability affecting Internet Explorer
- clients for all MediaWiki installations with uploads enabled.
- o A local script injection vulnerability affecting clients with SVG
- scripting capability (such as Firefox 1.5+), for all MediaWiki
- installations with SVG uploads enabled."
- Closes: #508869
- * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
- feature in MediaWiki:
- "A CSRF vulnerability affecting the Special:Import feature, for all
- MediaWiki installations since the feature was introduced in 1.3.0."
- Closes: #508870
-
- -- Romain Beauxis <toots at rastageeks.org> Thu, 18 Dec 2008 02:37:58 +0100
-
-mediawiki (1:1.13.2-1) unstable; urgency=low
-
- * New upstream release
- * Fix CVE-2008-4408: XSS in mediawiki:
- "Cross-site scripting (XSS) vulnerability allows remote attackers
- to inject arbitrary web script or HTML via the useskin parameter
- to an unspecified component."
- Closes: #501115
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 11 Oct 2008 15:02:39 +0200
-
-mediawiki (1:1.13.0-2) unstable; urgency=low
-
- * Removed buggy postgresql patch
- Closes: #497042
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 30 Aug 2008 14:06:47 +0200
-
-mediawiki (1:1.13.0-1) unstable; urgency=low
-
- * New upstream release
- * Fixed watch file. Closes: #490009
- * Refreshed patches
- * Bumped standard-version to 3.8.0
- * Fixed latex-related dependencies in mediawiki-math
- * Removed obsolete linda override, thanks lintian !
-
- -- Romain Beauxis <toots at rastageeks.org> Sun, 17 Aug 2008 11:01:43 +0200
-
-mediawiki (1:1.12.0-2) unstable; urgency=low
-
- * Fixed postgresql dependency
- Closes: #472987
- * Added instructions to install and upgrade
- Closes: #472990, #472831
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:49:15 +0100
-
-mediawiki (1:1.12.0-1) unstable; urgency=low
-
- * New upstream release
- * Updated patch for postfix support: dropped what
- has been implemented upstream
- * Refreshed other patches, thanks to quilt
- * Changed postgresql recommends to "postgresql" package
- Closes: #469582
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:20:12 +0100
-
-mediawiki (1:1.11.2-2) unstable; urgency=high
-
- * Added patch to fix pgsql select, thanks to Marc Dequènes
- Closes: #469841
- * Upated README.Debian to mention php5-gd instead of php5-gd2
- and texlive-latex-base instead to tetex-bin.
- Closes: #469558
- * still setting urgency to high since previous upload didn't make it
- to testing.
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:58:57 +0100
-
-mediawiki (1:1.11.2-1) unstable; urgency=high
-
- * New upstream release
- * Security fix:
- "Possible cross-site information leaks using the callback
- parameter for JSON-formatted results in the API are prevented by
- dropping user credentials."
- * Added informations on LocalSettings.php in README.Debian
- Closes: #462609
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:16:27 +0100
-
-mediawiki (1:1.11.1-1) unstable; urgency=high
-
- * New upstream release
- * A potential XSS injection vector affecting
- Microsoft Internet Explorer users has been
- closed.
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 26 Jan 2008 02:57:53 +0100
-
-mediawiki (1:1.11.0-4) unstable; urgency=low
-
- * Really add the patch for #459312
- * Added also patch to fix #459617
- Closes: #459617
- * Merged two previous patches
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 18 Jan 2008 16:14:59 +0100
-
-mediawiki (1:1.11.0-3) unstable; urgency=low
-
- * Really remove debian specific scripts
- * Backported patch to fix unserialize with postgre
- Closes: #459312
- * Added finnish translation of the debconf templates, thanks to Esko
- Arajärvi. Closes: #456983
- * Updated standards to 3.7.3 (no changes)
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 07 Jan 2008 15:03:15 +0100
-
-mediawiki (1:1.11.0-2) unstable; urgency=low
-
- * Initial upload of 1.11.0 to unstable
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 03 Nov 2007 16:39:47 +0100
-
-mediawiki (1:1.11.0-1) experimental; urgency=low
-
- * Removed mediawikiX versioned packages
- * Updated to mediawiki 1.11
- * Removed automatic upgrade script
- * Updated README.Debian (Closes: #442311, #442302)
- * Changed default upload directory (Closes: #444445)
-
- -- Romain Beauxis <toots at rastageeks.org> Sun, 21 Oct 2007 20:54:00 +0200
-
-mediawiki (1:1.10) unstable; urgency=low
-
- * Switched to mediawiki1.10
- * Mediawiki1.10 recommends mediawiki-math (Closes: #428021)
-
- -- Romain Beauxis <toots at rastageeks.org> Tue, 10 Jul 2007 19:29:01 +0200
-
-mediawiki (1:1.9) unstable; urgency=low
-
- * Switched to mediawiki1.9, closes: #392932
- * Corrected typo in control, closes: #414121
- * Seperated -math extension to a single package, closes: #401714
-
- -- Romain Beauxis <toots at rastageeks.org> Thu, 12 Apr 2007 17:02:05 +0200
-
-mediawiki (1:1.7) unstable; urgency=low
-
- * Initial Release
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 6 Nov 2006 15:36:44 +0100
Copied: mediawiki/tags/1:1.15.5-2squeeze2/debian/changelog (from rev 283, mediawiki/squeeze/debian/changelog)
===================================================================
--- mediawiki/tags/1:1.15.5-2squeeze2/debian/changelog (rev 0)
+++ mediawiki/tags/1:1.15.5-2squeeze2/debian/changelog 2011-12-18 23:43:37 UTC (rev 285)
@@ -0,0 +1,347 @@
+mediawiki (1:1.15.5-2squeeze2) stable-security; urgency=low
+
+ * Security fixes from upstream (Closes: #650434):
+ CVE-2011-4360 - page titles on private wikis could be exposed
+ bypassing different page ids to index.php
+ CVE-2011-4361 - action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done
+ CVE-2011-1578 - XSS for IE <= 6
+ CVE-2011-1579 - CSS validation error in wikitext parser
+ CVE-2011-1580 - access control checks on transwiki import feature
+ CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 18 Dec 2011 23:17:47 +0000
+
+mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
+
+ * CVE-2011-0047: Protect against a CSS injection vulnerability
+ (closes: #611787)
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Sun, 06 Feb 2011 13:45:39 +0000
+
+mediawiki (1:1.15.5-2) testing-security; urgency=high
+
+ * CVE-2011-0003: Protect against clickjacking by sending the
+ X-Frame-Options header in all pages (except normal page views
+ and a few selected special pages). Patch as released by upstream
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Tue, 04 Jan 2011 22:39:26 +0000
+
+mediawiki (1:1.15.5-1) unstable; urgency=high
+
+ [ Thorsten Glaser ]
+ * debian/patches/suppress_warnings.patch: new, suppress warnings
+ about session_start() being called twice also in the PHP error
+ log, not just MediaWiki’s, for example run from FusionForge
+
+ [ Jonathan Wiltshire ]
+ * New upstream security release:
+ - correctly set caching headers to prevent private data leakage
+ (closes: #590660, LP: #610782)
+ - fix XSS vulnerability in profileinfo.php
+ (closes: #590669, LP: #610819)
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Wed, 28 Jul 2010 12:23:04 +0100
+
+mediawiki (1:1.15.4-2) unstable; urgency=low
+
+ [ Thorsten Glaser ]
+ * debian/control: add Vcs-SVN and Vcs-Browser
+
+ [ Jonathan Wiltshire ]
+ * debian/source/format: Switch to source format 3.0 (quilt)
+ * debian/rules: Drop CDBS quilt logic
+ * debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
+ remove the original definition (LP: #406358)
+ * debian/README.source: document use of quilt and format 3.0 (quilt)
+ * New patch backup_documentation.patch improves documentation of
+ maintenance/dumpBackup.php (closes: #572355)
+ * Standards version 3.9.0 (no changes)
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Tue, 29 Jun 2010 14:20:35 +0100
+
+mediawiki (1:1.15.4-1) unstable; urgency=high
+
+ [ Jonathan Wiltshire ]
+ * New upstream security release (closes: #585918).
+ * CVE-2010-1647:
+ Fix a cross-site scripting (XSS) vulnerability which allows
+ remote attackers to inject arbitrary web script or HTML via crafted
+ Cascading Style Sheets (CSS) strings that are processed as script by
+ Internet Explorer.
+ * CVE-2010-1648:
+ Fix a cross-site request forgery (CSRF) vulnerability in the login interface
+ which allows remote attackers to hijack the authentication of users for
+ requests that (1) create accounts or (2) reset passwords, related to the
+ Special:Userlogin form.
+
+ [ Romain Beauxis ]
+ * Put debian's package version in declared version.
+ Should help sysadmins to keep track of installed
+ versions, in particular with regard to security
+ updates.
+ * Added Jonathan Wiltshire to uploaders.
+ * Do not clan math dir if it does not exist (for instance
+ when running clean from SVN).
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 21 Jun 2010 23:41:29 +0200
+
+mediawiki (1:1.15.3-1) unstable; urgency=high
+
+ * New upstream release.
+ * Fixes security issue:
+ "MediaWiki was found to be vulnerable to login CSRF. An attacker who
+ controls a user account on the target wiki can force the victim to log
+ in as the attacker, via a script on an external website. If the wiki is
+ configured to allow user scripts, say with "$wgAllowUserJs = true" in
+ LocalSettings.php, then the attacker can proceed to mount a
+ phishing-style attack against the victim to obtain their password."
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 16 Apr 2010 14:44:09 -0500
+
+mediawiki (1:1.15.2-1) unstable; urgency=high
+
+ * New upstream release.
+ * Fixes security issue:
+ "Two security issues were discovered:
+
+ A CSS validation issue was discovered which allows editors to display
+ external images in wiki pages. This is a privacy concern on public
+ wikis, since a malicious user may link to an image on a server they
+ control, which would allow that attacker to gather IP addresses and
+ other information from users of the public wiki. All sites running
+ publicly-editable MediaWiki installations are advised to upgrade. All
+ versions of MediaWiki (prior to this one) are affected.
+
+ A data leakage vulnerability was discovered in thumb.php which affects
+ wikis which restrict access to private files using img_auth.php, or
+ some similar scheme. All versions of MediaWiki since 1.5 are affected."
+ * Updated standards.
+ * Removed section about upgrading from mediawiki1.x packages
+ in README.Debian since they do not exist in any supported distribution
+ anymore.
+ * Switched php5-gd and imagemagick in Suggests. Closes: #542008
+ * Backported patch from revision 51083 to fix a bug with invalid titles.
+ Closes: #537134
+ * Backported patch from revision 61090 to add a unique guid per RSS
+ feed element.
+ Closes: #383130
+ * Refreshed patches.
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 15 Mar 2010 11:41:07 -0500
+
+mediawiki (1:1.15.1-1) unstable; urgency=low
+
+ * New upstream release.
+ * Ack previous NMU, thanks to Nico Golde for taking care
+ of this.
+
+ -- Romain Beauxis <toots at rastageeks.org> Sun, 09 Aug 2009 10:46:41 -0500
+
+mediawiki (1:1.15.0-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix cross-site scripting in [[Special:Block]]
+ (No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
+
+ -- Nico Golde <nion at debian.org> Sun, 26 Jul 2009 18:11:07 +0200
+
+mediawiki (1:1.15.0-1) unstable; urgency=low
+
+ * New upstream release.
+ * Upstream added support for OASIS documents.
+ Closes: #530328
+ * Refreshed quilt patches
+ * Bumped standards versions to 3.8.2
+ * Bumped compat to 7
+ * Pointed to GPL-2 in debian/copyright
+ * Added php5-sqlite to possible DB backend dependencies.
+ Closes: #501569
+ * Proofread README.Debian, upgrade is documented there.
+ Closes: #520121
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 19 Jun 2009 01:38:50 +0200
+
+mediawiki (1:1.14.0-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fixed issues in the installer:
+ "A number of cross-site scripting (XSS) security vulnerabilities were
+ discovered in the web-based installer (config/index.php).
+ These vulnerabilities all require a live installer once the installer
+ has been used to install a wiki, it is deactivated.
+
+ Note that cross-site scripting vulnerabilities can be used to attack
+ any website in the same cookie domain. So if you have an uninstalled
+ copy of MediaWiki on the same site as an active web service, MediaWiki
+ could be used to attack the active service."
+ Closes: #514547
+ * Fixed typo in README.Debian
+ Closes: #515192
+ * Updated japanese debconf translation, thanks to Hideki Yamane
+ Closes: #510896
+ * Added a file in debian/copyright
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 06 Mar 2009 20:29:17 +0100
+
+mediawiki (1:1.13.3-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
+ "An XSS vulnerability affecting all MediaWiki installations between
+ 1.13.0 and 1.13.2."
+ Closes: #508868
+ * Fix CVE-2008-5250: several local script injection vulnerabilities
+ in MediaWiki:
+ "o A local script injection vulnerability affecting Internet Explorer
+ clients for all MediaWiki installations with uploads enabled.
+ o A local script injection vulnerability affecting clients with SVG
+ scripting capability (such as Firefox 1.5+), for all MediaWiki
+ installations with SVG uploads enabled."
+ Closes: #508869
+ * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
+ feature in MediaWiki:
+ "A CSRF vulnerability affecting the Special:Import feature, for all
+ MediaWiki installations since the feature was introduced in 1.3.0."
+ Closes: #508870
+
+ -- Romain Beauxis <toots at rastageeks.org> Thu, 18 Dec 2008 02:37:58 +0100
+
+mediawiki (1:1.13.2-1) unstable; urgency=low
+
+ * New upstream release
+ * Fix CVE-2008-4408: XSS in mediawiki:
+ "Cross-site scripting (XSS) vulnerability allows remote attackers
+ to inject arbitrary web script or HTML via the useskin parameter
+ to an unspecified component."
+ Closes: #501115
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 11 Oct 2008 15:02:39 +0200
+
+mediawiki (1:1.13.0-2) unstable; urgency=low
+
+ * Removed buggy postgresql patch
+ Closes: #497042
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 30 Aug 2008 14:06:47 +0200
+
+mediawiki (1:1.13.0-1) unstable; urgency=low
+
+ * New upstream release
+ * Fixed watch file. Closes: #490009
+ * Refreshed patches
+ * Bumped standard-version to 3.8.0
+ * Fixed latex-related dependencies in mediawiki-math
+ * Removed obsolete linda override, thanks lintian !
+
+ -- Romain Beauxis <toots at rastageeks.org> Sun, 17 Aug 2008 11:01:43 +0200
+
+mediawiki (1:1.12.0-2) unstable; urgency=low
+
+ * Fixed postgresql dependency
+ Closes: #472987
+ * Added instructions to install and upgrade
+ Closes: #472990, #472831
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:49:15 +0100
+
+mediawiki (1:1.12.0-1) unstable; urgency=low
+
+ * New upstream release
+ * Updated patch for postfix support: dropped what
+ has been implemented upstream
+ * Refreshed other patches, thanks to quilt
+ * Changed postgresql recommends to "postgresql" package
+ Closes: #469582
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:20:12 +0100
+
+mediawiki (1:1.11.2-2) unstable; urgency=high
+
+ * Added patch to fix pgsql select, thanks to Marc Dequènes
+ Closes: #469841
+ * Upated README.Debian to mention php5-gd instead of php5-gd2
+ and texlive-latex-base instead to tetex-bin.
+ Closes: #469558
+ * still setting urgency to high since previous upload didn't make it
+ to testing.
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:58:57 +0100
+
+mediawiki (1:1.11.2-1) unstable; urgency=high
+
+ * New upstream release
+ * Security fix:
+ "Possible cross-site information leaks using the callback
+ parameter for JSON-formatted results in the API are prevented by
+ dropping user credentials."
+ * Added informations on LocalSettings.php in README.Debian
+ Closes: #462609
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:16:27 +0100
+
+mediawiki (1:1.11.1-1) unstable; urgency=high
+
+ * New upstream release
+ * A potential XSS injection vector affecting
+ Microsoft Internet Explorer users has been
+ closed.
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 26 Jan 2008 02:57:53 +0100
+
+mediawiki (1:1.11.0-4) unstable; urgency=low
+
+ * Really add the patch for #459312
+ * Added also patch to fix #459617
+ Closes: #459617
+ * Merged two previous patches
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 18 Jan 2008 16:14:59 +0100
+
+mediawiki (1:1.11.0-3) unstable; urgency=low
+
+ * Really remove debian specific scripts
+ * Backported patch to fix unserialize with postgre
+ Closes: #459312
+ * Added finnish translation of the debconf templates, thanks to Esko
+ Arajärvi. Closes: #456983
+ * Updated standards to 3.7.3 (no changes)
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 07 Jan 2008 15:03:15 +0100
+
+mediawiki (1:1.11.0-2) unstable; urgency=low
+
+ * Initial upload of 1.11.0 to unstable
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 03 Nov 2007 16:39:47 +0100
+
+mediawiki (1:1.11.0-1) experimental; urgency=low
+
+ * Removed mediawikiX versioned packages
+ * Updated to mediawiki 1.11
+ * Removed automatic upgrade script
+ * Updated README.Debian (Closes: #442311, #442302)
+ * Changed default upload directory (Closes: #444445)
+
+ -- Romain Beauxis <toots at rastageeks.org> Sun, 21 Oct 2007 20:54:00 +0200
+
+mediawiki (1:1.10) unstable; urgency=low
+
+ * Switched to mediawiki1.10
+ * Mediawiki1.10 recommends mediawiki-math (Closes: #428021)
+
+ -- Romain Beauxis <toots at rastageeks.org> Tue, 10 Jul 2007 19:29:01 +0200
+
+mediawiki (1:1.9) unstable; urgency=low
+
+ * Switched to mediawiki1.9, closes: #392932
+ * Corrected typo in control, closes: #414121
+ * Seperated -math extension to a single package, closes: #401714
+
+ -- Romain Beauxis <toots at rastageeks.org> Thu, 12 Apr 2007 17:02:05 +0200
+
+mediawiki (1:1.7) unstable; urgency=low
+
+ * Initial Release
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 6 Nov 2006 15:36:44 +0100
Copied: mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1578.patch (from rev 274, mediawiki/squeeze/debian/patches/CVE-2011-1578.patch)
===================================================================
--- mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1578.patch (rev 0)
+++ mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1578.patch 2011-12-18 23:43:37 UTC (rev 285)
@@ -0,0 +1,134 @@
+Description: cross-site scripting problem in IE <= 6 clients
+ Due to the diversity of uploaded files that we allow, MediaWiki does
+ not guarantee that uploaded files will be safe if they are interpreted
+ by the client as some arbitrary file type, such as HTML. We rely on
+ the web server to send the correct Content-Type header, and we rely on
+ the web browser to respect it. This XSS issue arises due to IE 6
+ looking for a file extension in the query string of the URL (i.e.
+ after the "?"), if no extension is found in path part of the URL.
+ Masato Kinugawa discovered that the file extension in the path part
+ can be hidden from IE 6 by substituting the "." with "%2E".
+Origin: upstream,r85844/r85849
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28235
+Last-Update: 2011-12-17
+
+--- /dev/null
++++ mediawiki-1.15.5/images/.htaccess
+@@ -0,0 +1,6 @@
++# Protect against bug 28235
++<IfModule rewrite_module>
++ RewriteEngine On
++ RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
++ RewriteRule . - [forbidden]
++</IfModule>
+--- mediawiki-1.15.5.orig/img_auth.php
++++ mediawiki-1.15.5/img_auth.php
+@@ -25,6 +25,13 @@
+ wfPublicError();
+ }
+
++// Check for bug 28235: QUERY_STRING overriding the correct extension
++if ( isset( $_SERVER['QUERY_STRING'] )
++ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++{
++ wfForbidden();
++}
++
+ // Extract path and image information
+ if( !isset( $_SERVER['PATH_INFO'] ) ) {
+ wfDebugLog( 'img_auth', 'Missing PATH_INFO' );
+--- mediawiki-1.15.5.orig/includes/RawPage.php
++++ mediawiki-1.15.5/includes/RawPage.php
+@@ -109,7 +109,7 @@
+ }
+
+ function view() {
+- global $wgOut, $wgScript;
++ global $wgOut, $wgScript, $wgRequest;
+
+ if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+ # Normally we use PHP_SELF to get the URL to the script
+@@ -136,7 +136,7 @@
+ return;
+ }
+
+- if( strcmp( $wgScript, $url ) ) {
++ if( $wgRequest->isPathInfoBad() ) {
+ # Internet Explorer will ignore the Content-Type header if it
+ # thinks it sees a file extension it recognizes. Make sure that
+ # all raw requests are done through the script node, which will
+@@ -150,6 +150,7 @@
+ #
+ # Just return a 403 Forbidden and get it over with.
+ wfHttpError( 403, 'Forbidden',
++ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
+ 'Raw pages must be accessed through the primary script entry point.' );
+ return;
+ }
+--- mediawiki-1.15.5.orig/includes/WebRequest.php
++++ mediawiki-1.15.5/includes/WebRequest.php
+@@ -662,6 +662,50 @@
+ function setSessionData( $key, $data ) {
+ $_SESSION[$key] = $data;
+ }
++
++ /**
++ * Returns true if the PATH_INFO ends with an extension other than a script
++ * extension. This could confuse IE for scripts that send arbitrary data which
++ * is not HTML but may be detected as such.
++ *
++ * Various past attempts to use the URL to make this check have generally
++ * run up against the fact that CGI does not provide a standard method to
++ * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0),
++ * but only by prefixing it with the script name and maybe some other stuff,
++ * the extension is not mangled. So this should be a reasonably portable
++ * way to perform this security check.
++ *
++ * Also checks for anything that looks like a file extension at the end of
++ * QUERY_STRING, since IE 6 and earlier will use this to get the file type
++ * if there was no dot before the question mark (bug 28235).
++ */
++ public function isPathInfoBad() {
++ global $wgScriptExtension;
++
++ if ( isset( $_SERVER['QUERY_STRING'] )
++ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++ {
++ // Bug 28235
++ // Block only Internet Explorer, and requests with missing UA
++ // headers that could be IE users behind a privacy proxy.
++ if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
++ || preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) )
++ {
++ return true;
++ }
++ }
++
++ if ( !isset( $_SERVER['PATH_INFO'] ) ) {
++ return false;
++ }
++ $pi = $_SERVER['PATH_INFO'];
++ $dotPos = strrpos( $pi, '.' );
++ if ( $dotPos === false ) {
++ return false;
++ }
++ $ext = substr( $pi, $dotPos );
++ return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) );
++ }
+ }
+
+ /**
+--- mediawiki-1.15.5.orig/api.php
++++ mediawiki-1.15.5/api.php
+@@ -56,9 +56,9 @@
+ } else {
+ $url = $_SERVER['PHP_SELF'];
+ }
+-if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
++if ( $wgRequest->isPathInfoBad() ) {
+ wfHttpError( 403, 'Forbidden',
+- 'API must be accessed through the primary script entry point.' );
++ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
+ return;
+ }
+
Copied: mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1579.patch (from rev 275, mediawiki/squeeze/debian/patches/CVE-2011-1579.patch)
===================================================================
--- mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1579.patch (rev 0)
+++ mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1579.patch 2011-12-18 23:43:37 UTC (rev 285)
@@ -0,0 +1,80 @@
+Description: CSS validation error in wikitext parser
+ Wikipedia user Suffusion of Yellow discovered a CSS validation error
+ in the wikitext parser. This is an XSS issue for Internet Explorer
+ clients, and a privacy loss issue for other clients since it allows
+ the embedding of arbitrary remote images.
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85856
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28450
+Last-Update: 2011-12-17
+
+--- mediawiki-1.15.5.orig/includes/Sanitizer.php
++++ mediawiki-1.15.5/includes/Sanitizer.php
+@@ -646,28 +646,34 @@
+
+ /**
+ * Pick apart some CSS and check it for forbidden or unsafe structures.
+- * Returns a sanitized string, or false if it was just too evil.
++ * Returns a sanitized string. This sanitized string will have
++ * character references and escape sequences decoded, and comments
++ * stripped. If the input is just too evil, only a comment complaining
++ * about evilness will be returned.
+ *
+ * Currently URL references, 'expression', 'tps' are forbidden.
+ *
++ * NOTE: Despite the fact that character references are decoded, the
++ * returned string may contain character references given certain
++ * clever input strings. These character references must
++ * be escaped before the return value is embedded in HTML.
++ *
+ * @param string $value
+- * @return mixed
++ * @return string
+ */
+ static function checkCss( $value ) {
++ // Decode character references like {
+ $value = Sanitizer::decodeCharReferences( $value );
+
+- // Remove any comments; IE gets token splitting wrong
+- $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+-
+- // Remove anything after a comment-start token, to guard against
+- // incorrect client implementations.
+- $commentPos = strpos( $value, '/*' );
+- if ( $commentPos !== false ) {
+- $value = substr( $value, 0, $commentPos );
+- }
+-
+ // Decode escape sequences and line continuation
+ // See the grammar in the CSS 2 spec, appendix D.
++ // This has to be done AFTER decoding character references.
++ // This means it isn't possible for this function to return
++ // unsanitized escape sequences. It is possible to manufacture
++ // input that contains character references that decode to
++ // escape sequences that decode to character references, but
++ // it's OK for the return value to contain character references
++ // because the caller is supposed to escape those anyway.
+ static $decodeRegex, $reencodeTable;
+ if ( !$decodeRegex ) {
+ $space = '[\\x20\\t\\r\\n\\f]';
+@@ -684,6 +690,21 @@
+ $value = preg_replace_callback( $decodeRegex,
+ array( __CLASS__, 'cssDecodeCallback' ), $value );
+
++ // Remove any comments; IE gets token splitting wrong
++ // This must be done AFTER decoding character references and
++ // escape sequences, because those steps can introduce comments
++ // This step cannot introduce character references or escape
++ // sequences, because it replaces comments with spaces rather
++ // than removing them completely.
++ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
++
++ // Remove anything after a comment-start token, to guard against
++ // incorrect client implementations.
++ $commentPos = strpos( $value, '/*' );
++ if ( $commentPos !== false ) {
++ $value = substr( $value, 0, $commentPos );
++ }
++
+ // Reject problematic keywords and control characters
+ if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
+ return '/* invalid control char */';
Copied: mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1580.patch (from rev 276, mediawiki/squeeze/debian/patches/CVE-2011-1580.patch)
===================================================================
--- mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1580.patch (rev 0)
+++ mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1580.patch 2011-12-18 23:43:37 UTC (rev 285)
@@ -0,0 +1,68 @@
+Description: access control check on transwiki import feature
+ The transwiki import feature is disabled by default. If it is enabled,
+ it allows wiki pages to be copied from a remote wiki listed in
+ $wgImportSources. The issue means that any user can trigger such an
+ import to occur.
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85099
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28449
+Last-Update: 2011-12-17
+
+--- mediawiki-1.15.5.orig/includes/Title.php
++++ mediawiki-1.15.5/includes/Title.php
+@@ -1090,8 +1090,14 @@
+ $errors[] = array( 'confirmedittext' );
+ }
+
+- // Edit blocks should not affect reading. Account creation blocks handled at userlogin.
+- if ( $action != 'read' && $action != 'createaccount' && $user->isBlockedFrom( $this ) ) {
++ if ( in_array( $action, array( 'read', 'createaccount', 'unblock' ) ) ){
++ // Edit blocks should not affect reading.
++ // Account creation blocks handled at userlogin.
++ // Unblocking handled in SpecialUnblock
++ } elseif( ( $action == 'edit' || $action == 'create' ) && !$user->isBlockedFrom( $this ) ){
++ // Don't block the user from editing their own talk page unless they've been
++ // explicitly blocked from that too.
++ } elseif( $user->isBlocked() && $user->mBlock->prevents( $action ) !== false ) {
+ $block = $user->mBlock;
+
+ // This is from OutputPage::blockedPage
+--- mediawiki-1.15.5.orig/includes/specials/SpecialImport.php
++++ mediawiki-1.15.5/includes/specials/SpecialImport.php
+@@ -45,7 +45,7 @@
+ * Execute
+ */
+ function execute( $par ) {
+- global $wgRequest;
++ global $wgRequest, $wgUser, $wgOut;
+
+ $this->setHeaders();
+ $this->outputHeader();
+@@ -55,7 +55,18 @@
+ $wgOut->readOnlyPage();
+ return;
+ }
+-
++
++ if( !$wgUser->isAllowedAny( 'import', 'importupload' ) ) {
++ return $wgOut->permissionRequired( 'import' );
++ }
++
++ # TODO: allow Title::getUserPermissionsErrors() to take an array
++ # FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what
++ # getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected'
++ $errors = wfMergeErrorArrays(
++ $this->getTitle()->getUserPermissionsErrors( 'import', $wgUser, true, array( 'ns-specialprotected' ) ),
++ $this->getTitle()->getUserPermissionsErrors( 'importupload', $wgUser, true, array( 'ns-specialprotected' ) )
++ );
+ if ( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit' ) {
+ $this->doImport();
+ }
+@@ -133,8 +144,6 @@
+
+ private function showForm() {
+ global $wgUser, $wgOut, $wgRequest, $wgTitle, $wgImportSources, $wgExportMaxLinkDepth;
+- if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) )
+- return $wgOut->permissionRequired( 'import' );
+
+ $action = $wgTitle->getLocalUrl( 'action=submit' );
+
Copied: mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1587.patch (from rev 277, mediawiki/squeeze/debian/patches/CVE-2011-1587.patch)
===================================================================
--- mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1587.patch (rev 0)
+++ mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/CVE-2011-1587.patch 2011-12-18 23:43:37 UTC (rev 285)
@@ -0,0 +1,37 @@
+Description: fix insufficient patch for CVE-2011-1578
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=86027
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28507
+Last-Update: 2011-12-17
+
+--- mediawiki-1.15.5.orig/images/.htaccess
++++ mediawiki-1.15.5/images/.htaccess
+@@ -1,6 +1,6 @@
+ # Protect against bug 28235
+ <IfModule rewrite_module>
+ RewriteEngine On
+- RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
++ RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
+ RewriteRule . - [forbidden]
+ </IfModule>
+--- mediawiki-1.15.5.orig/img_auth.php
++++ mediawiki-1.15.5/img_auth.php
+@@ -27,7 +27,7 @@
+
+ // Check for bug 28235: QUERY_STRING overriding the correct extension
+ if ( isset( $_SERVER['QUERY_STRING'] )
+- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+ {
+ wfForbidden();
+ }
+--- mediawiki-1.15.5.orig/includes/WebRequest.php
++++ mediawiki-1.15.5/includes/WebRequest.php
+@@ -683,7 +683,7 @@
+ global $wgScriptExtension;
+
+ if ( isset( $_SERVER['QUERY_STRING'] )
+- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+ {
+ // Bug 28235
+ // Block only Internet Explorer, and requests with missing UA
Deleted: mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/series
===================================================================
--- mediawiki/squeeze/debian/patches/series 2011-12-05 22:14:51 UTC (rev 273)
+++ mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/series 2011-12-18 23:43:37 UTC (rev 285)
@@ -1,11 +0,0 @@
-texvc_location.patch
-mimetypes.patch
-debian_specific_config.patch
-detect_invalid_titles.patch
-add_rss_guid.patch
-backup_documentation.patch
-suppress_warnings.patch
-CVE-2011-0003.patch
-CVE-2011-0047.patch
-CVE-2011-4360.patch
-CVE-2011-4361.patch
Copied: mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/series (from rev 277, mediawiki/squeeze/debian/patches/series)
===================================================================
--- mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/series (rev 0)
+++ mediawiki/tags/1:1.15.5-2squeeze2/debian/patches/series 2011-12-18 23:43:37 UTC (rev 285)
@@ -0,0 +1,15 @@
+texvc_location.patch
+mimetypes.patch
+debian_specific_config.patch
+detect_invalid_titles.patch
+add_rss_guid.patch
+backup_documentation.patch
+suppress_warnings.patch
+CVE-2011-0003.patch
+CVE-2011-0047.patch
+CVE-2011-1578.patch
+CVE-2011-1579.patch
+CVE-2011-1580.patch
+CVE-2011-1587.patch
+CVE-2011-4360.patch
+CVE-2011-4361.patch
More information about the Pkg-mediawiki-commits
mailing list