[Pkg-mediawiki-commits] r286 - in mediawiki/tags: . 1:1.12.0-2lenny9 1:1.12.0-2lenny9/debian 1:1.12.0-2lenny9/debian/patches
Jonathan Wiltshire
jmw at alioth.debian.org
Sun Dec 18 23:44:14 UTC 2011
Author: jmw
Date: 2011-12-18 23:44:13 +0000 (Sun, 18 Dec 2011)
New Revision: 286
Added:
mediawiki/tags/1:1.12.0-2lenny9/
mediawiki/tags/1:1.12.0-2lenny9/debian/changelog
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1578.patch
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1579.patch
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1580.patch
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1587.patch
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4360.patch
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4361.patch
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/series
Removed:
mediawiki/tags/1:1.12.0-2lenny9/debian/changelog
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4360.patch
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4361.patch
mediawiki/tags/1:1.12.0-2lenny9/debian/patches/series
Log:
[svn-buildpackage] Tagging mediawiki 1:1.12.0-2lenny9
Property changes on: mediawiki/tags/1:1.12.0-2lenny9
___________________________________________________________________
Added: svn:mergeinfo
+
Deleted: mediawiki/tags/1:1.12.0-2lenny9/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog 2011-12-01 12:38:40 UTC (rev 272)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/changelog 2011-12-18 23:44:13 UTC (rev 286)
@@ -1,231 +0,0 @@
-mediawiki (1:1.12.0-2lenny9) UNRELEASED; urgency=low
-
- * Security fixes from upstream (Closes: #650434):
- CVE-2011-4360 - page titles on private wikis could be exposed
- bypassing different page ids to index.php
- CVE-2011-4361 - action=ajax requests were dispatched to the
- relevant function without any read permission checks being done
-
- -- Jonathan Wiltshire <jmw at debian.org> Thu, 01 Dec 2011 12:37:28 +0000
-
-mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high
-
- * Oldstable upload.
- * CVE-2011-0047: Protect against a CSS injection vulnerability
- (closes: #611787)
-
- -- Jonathan Wiltshire <jmw at debian.org> Sun, 06 Feb 2011 16:16:23 +0000
-
-mediawiki (1:1.12.0-2lenny7) stable; urgency=high
-
- * Stable upload.
- * CVE-2011-0003: Minimise risk of clickjacking by denying
- framing on all pages except normal page views and a few
- selected special pages
-
- -- Jonathan Wiltshire <jmw at debian.org> Tue, 04 Jan 2011 19:32:42 +0000
-
-mediawiki (1:1.12.0-2lenny6) stable; urgency=high
-
- * Stable upload. Closes: #591382
- * Fixed CSRF vulnerability in "e-mail me my password",
- "create account" and "create by e-mail" features of
- [[Special:Userlogin]]. CVE-2010-1648
- * Fixed XSS vulnerability affecting IE clients only, due to a CSS
- validation issue. CVE-2010-1647 (Closes: #585918)
- * Fixed an XSS vulnerability in profileinfo.php for installations
- with $wgEnableProfileInfo = true (false by default) (Closes: #590669)
-
- -- Jonathan Wiltshire <jmw at debian.org> Fri, 17 Dec 2010 23:32:46 +0000
-
-mediawiki (1:1.12.0-2lenny5) stable-security; urgency=high
-
- * Security upload. Fixes the following issue (CVE-2010-1150):
- "MediaWiki was found to be vulnerable to login CSRF. An attacker who
- controls a user account on the target wiki can force the victim to log
- in as the attacker, via a script on an external website. If the wiki is
- configured to allow user scripts, say with "$wgAllowUserJs = true" in
- LocalSettings.php, then the attacker can proceed to mount a
- phishing-style attack against the victim to obtain their password.
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 16 Apr 2010 14:59:06 -0500
-
-mediawiki (1:1.12.0-2lenny4) stable-security; urgency=high
-
- * Security upload. Fixes two security issue:
- "A CSS validation issue was discovered which allows
- editors to display external images in wiki pages.
- This is a privacy concern on public wikis, since a
- malicious user may link to an image on a server they
- control, which would allow that attacker to gather IP
- addresses and other information from users of the public
- wiki. All sites running publicly-editable MediaWiki
- installations are advised to upgrade.
-
- A data leakage vulnerability was discovered in thumb.php which affects
- wikis which restrict access to private files using img_auth.php, or
- some similar scheme. All versions of MediaWiki since 1.5 are affected."
- * Backported patches from upstream release, via the Ubuntu package.
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 15 Mar 2010 14:29:43 -0500
-
-mediawiki (1:1.12.0-2lenny3) testing-security; urgency=high
-
- * Security upload.
- * Applied changes from 1.12.4:
- "A number of cross-site scripting (XSS) security vulnerabilities were
- discovered in the web-based installer (config/index.php). These
- vulnerabilities all require a live installer -- once the installer
- has been used to install a wiki, it is deactivated."
- Closes: #514547
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 07 Feb 2009 19:57:08 +0100
-
-mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high
-
- * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252
- * debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
- - Fixed output escaping for reporting of non-MediaWiki exceptions.
- Potential XSS if an extension throws one of these with user input.
- - Avoid fatal error in profileinfo.php when not configured.
- - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
- transwiki import feature.
- - Add a .htaccess to deleted images directory for additional protection
- against exposure of deleted files with known SHA-1 hashes on default
- installations.
- - Fixed XSS vulnerability for Internet Explorer clients, via file uploads
- which are interpreted by IE as HTML.
- - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
- uploads are enabled. Firefox 1.5+ is affected.
- - Avoid streaming uploaded files to the user via index.php. This allows
- security-conscious users to serve uploaded files via a different domain,
- and thus client-side scripts executed from that domain cannot access the
- login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
- - When streaming files via index.php, use the MIME type detected from the
- file extension, not from the data. This reduces the XSS attack surface.
- - Blacklist redirects via Special:Filepath. Such redirects exacerbate any
- XSS vulnerabilities involving uploads of files containing scripts.
- Closes: #508869, #508870
-
- -- Giuseppe Iuculano <giuseppe at iuculano.it> Sun, 18 Jan 2009 11:54:02 +0100
-
-mediawiki (1:1.12.0-2lenny1) testing-security; urgency=high
-
- * Security update, fix CVE-2008-4408:
- "Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
- and possibly other versions before 1.13.2 allows remote attackers
- to inject arbitrary web script or HTML via the useskin parameter
- to an unspecified component."
- Closes: #501115
-
- -- Romain Beauxis <toots at rastageeks.org> Tue, 14 Oct 2008 15:56:19 +0200
-
-mediawiki (1:1.12.0-2) unstable; urgency=low
-
- * Fixed postgresql dependency
- Closes: #472987
- * Added instructions to install and upgrade
- Closes: #472990, #472831
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:49:15 +0100
-
-mediawiki (1:1.12.0-1) unstable; urgency=low
-
- * New upstream release
- * Updated patch for postfix support: dropped what
- has been implemented upstream
- * Refreshed other patches, thanks to quilt
- * Changed postgresql recommends to "postgresql" package
- Closes: #469582
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:20:12 +0100
-
-mediawiki (1:1.11.2-2) unstable; urgency=high
-
- * Added patch to fix pgsql select, thanks to Marc Dequènes
- Closes: #469841
- * Upated README.Debian to mention php5-gd instead of php5-gd2
- and texlive-latex-base instead to tetex-bin.
- Closes: #469558
- * still setting urgency to high since previous upload didn't make it
- to testing.
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:58:57 +0100
-
-mediawiki (1:1.11.2-1) unstable; urgency=high
-
- * New upstream release
- * Security fix:
- "Possible cross-site information leaks using the callback
- parameter for JSON-formatted results in the API are prevented by
- dropping user credentials."
- * Added informations on LocalSettings.php in README.Debian
- Closes: #462609
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:16:27 +0100
-
-mediawiki (1:1.11.1-1) unstable; urgency=high
-
- * New upstream release
- * A potential XSS injection vector affecting
- Microsoft Internet Explorer users has been
- closed.
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 26 Jan 2008 02:57:53 +0100
-
-mediawiki (1:1.11.0-4) unstable; urgency=low
-
- * Really add the patch for #459312
- * Added also patch to fix #459617
- Closes: #459617
- * Merged two previous patches
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 18 Jan 2008 16:14:59 +0100
-
-mediawiki (1:1.11.0-3) unstable; urgency=low
-
- * Really remove debian specific scripts
- * Backported patch to fix unserialize with postgre
- Closes: #459312
- * Added finnish translation of the debconf templates, thanks to Esko
- Arajärvi. Closes: #456983
- * Updated standards to 3.7.3 (no changes)
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 07 Jan 2008 15:03:15 +0100
-
-mediawiki (1:1.11.0-2) unstable; urgency=low
-
- * Initial upload of 1.11.0 to unstable
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 03 Nov 2007 16:39:47 +0100
-
-mediawiki (1:1.11.0-1) experimental; urgency=low
-
- * Removed mediawikiX versioned packages
- * Updated to mediawiki 1.11
- * Removed automatic upgrade script
- * Updated README.Debian (Closes: #442311, #442302)
- * Changed default upload directory (Closes: #444445)
-
- -- Romain Beauxis <toots at rastageeks.org> Sun, 21 Oct 2007 20:54:00 +0200
-
-mediawiki (1:1.10) unstable; urgency=low
-
- * Switched to mediawiki1.10
- * Mediawiki1.10 recommends mediawiki-math (Closes: #428021)
-
- -- Romain Beauxis <toots at rastageeks.org> Tue, 10 Jul 2007 19:29:01 +0200
-
-mediawiki (1:1.9) unstable; urgency=low
-
- * Switched to mediawiki1.9, closes: #392932
- * Corrected typo in control, closes: #414121
- * Seperated -math extension to a single package, closes: #401714
-
- -- Romain Beauxis <toots at rastageeks.org> Thu, 12 Apr 2007 17:02:05 +0200
-
-mediawiki (1:1.7) unstable; urgency=low
-
- * Initial Release
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 6 Nov 2006 15:36:44 +0100
Copied: mediawiki/tags/1:1.12.0-2lenny9/debian/changelog (from rev 284, mediawiki/lenny/debian/changelog)
===================================================================
--- mediawiki/tags/1:1.12.0-2lenny9/debian/changelog (rev 0)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/changelog 2011-12-18 23:44:13 UTC (rev 286)
@@ -0,0 +1,235 @@
+mediawiki (1:1.12.0-2lenny9) oldstable-security; urgency=low
+
+ * Security fixes from upstream (Closes: #650434):
+ CVE-2011-4360 - page titles on private wikis could be exposed
+ bypassing different page ids to index.php
+ CVE-2011-4361 - action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done
+ CVE-2011-1578 - XSS for IE <= 6
+ CVE-2011-1579 - CSS validation error in wikitext parser
+ CVE-2011-1580 - access control checks on transwiki import feature
+ CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 18 Dec 2011 23:19:40 +0000
+
+mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high
+
+ * Oldstable upload.
+ * CVE-2011-0047: Protect against a CSS injection vulnerability
+ (closes: #611787)
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 06 Feb 2011 16:16:23 +0000
+
+mediawiki (1:1.12.0-2lenny7) stable; urgency=high
+
+ * Stable upload.
+ * CVE-2011-0003: Minimise risk of clickjacking by denying
+ framing on all pages except normal page views and a few
+ selected special pages
+
+ -- Jonathan Wiltshire <jmw at debian.org> Tue, 04 Jan 2011 19:32:42 +0000
+
+mediawiki (1:1.12.0-2lenny6) stable; urgency=high
+
+ * Stable upload. Closes: #591382
+ * Fixed CSRF vulnerability in "e-mail me my password",
+ "create account" and "create by e-mail" features of
+ [[Special:Userlogin]]. CVE-2010-1648
+ * Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue. CVE-2010-1647 (Closes: #585918)
+ * Fixed an XSS vulnerability in profileinfo.php for installations
+ with $wgEnableProfileInfo = true (false by default) (Closes: #590669)
+
+ -- Jonathan Wiltshire <jmw at debian.org> Fri, 17 Dec 2010 23:32:46 +0000
+
+mediawiki (1:1.12.0-2lenny5) stable-security; urgency=high
+
+ * Security upload. Fixes the following issue (CVE-2010-1150):
+ "MediaWiki was found to be vulnerable to login CSRF. An attacker who
+ controls a user account on the target wiki can force the victim to log
+ in as the attacker, via a script on an external website. If the wiki is
+ configured to allow user scripts, say with "$wgAllowUserJs = true" in
+ LocalSettings.php, then the attacker can proceed to mount a
+ phishing-style attack against the victim to obtain their password.
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 16 Apr 2010 14:59:06 -0500
+
+mediawiki (1:1.12.0-2lenny4) stable-security; urgency=high
+
+ * Security upload. Fixes two security issue:
+ "A CSS validation issue was discovered which allows
+ editors to display external images in wiki pages.
+ This is a privacy concern on public wikis, since a
+ malicious user may link to an image on a server they
+ control, which would allow that attacker to gather IP
+ addresses and other information from users of the public
+ wiki. All sites running publicly-editable MediaWiki
+ installations are advised to upgrade.
+
+ A data leakage vulnerability was discovered in thumb.php which affects
+ wikis which restrict access to private files using img_auth.php, or
+ some similar scheme. All versions of MediaWiki since 1.5 are affected."
+ * Backported patches from upstream release, via the Ubuntu package.
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 15 Mar 2010 14:29:43 -0500
+
+mediawiki (1:1.12.0-2lenny3) testing-security; urgency=high
+
+ * Security upload.
+ * Applied changes from 1.12.4:
+ "A number of cross-site scripting (XSS) security vulnerabilities were
+ discovered in the web-based installer (config/index.php). These
+ vulnerabilities all require a live installer -- once the installer
+ has been used to install a wiki, it is deactivated."
+ Closes: #514547
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 07 Feb 2009 19:57:08 +0100
+
+mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high
+
+ * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252
+ * debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
+ - Fixed output escaping for reporting of non-MediaWiki exceptions.
+ Potential XSS if an extension throws one of these with user input.
+ - Avoid fatal error in profileinfo.php when not configured.
+ - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
+ transwiki import feature.
+ - Add a .htaccess to deleted images directory for additional protection
+ against exposure of deleted files with known SHA-1 hashes on default
+ installations.
+ - Fixed XSS vulnerability for Internet Explorer clients, via file uploads
+ which are interpreted by IE as HTML.
+ - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
+ uploads are enabled. Firefox 1.5+ is affected.
+ - Avoid streaming uploaded files to the user via index.php. This allows
+ security-conscious users to serve uploaded files via a different domain,
+ and thus client-side scripts executed from that domain cannot access the
+ login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
+ - When streaming files via index.php, use the MIME type detected from the
+ file extension, not from the data. This reduces the XSS attack surface.
+ - Blacklist redirects via Special:Filepath. Such redirects exacerbate any
+ XSS vulnerabilities involving uploads of files containing scripts.
+ Closes: #508869, #508870
+
+ -- Giuseppe Iuculano <giuseppe at iuculano.it> Sun, 18 Jan 2009 11:54:02 +0100
+
+mediawiki (1:1.12.0-2lenny1) testing-security; urgency=high
+
+ * Security update, fix CVE-2008-4408:
+ "Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
+ and possibly other versions before 1.13.2 allows remote attackers
+ to inject arbitrary web script or HTML via the useskin parameter
+ to an unspecified component."
+ Closes: #501115
+
+ -- Romain Beauxis <toots at rastageeks.org> Tue, 14 Oct 2008 15:56:19 +0200
+
+mediawiki (1:1.12.0-2) unstable; urgency=low
+
+ * Fixed postgresql dependency
+ Closes: #472987
+ * Added instructions to install and upgrade
+ Closes: #472990, #472831
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:49:15 +0100
+
+mediawiki (1:1.12.0-1) unstable; urgency=low
+
+ * New upstream release
+ * Updated patch for postfix support: dropped what
+ has been implemented upstream
+ * Refreshed other patches, thanks to quilt
+ * Changed postgresql recommends to "postgresql" package
+ Closes: #469582
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:20:12 +0100
+
+mediawiki (1:1.11.2-2) unstable; urgency=high
+
+ * Added patch to fix pgsql select, thanks to Marc Dequènes
+ Closes: #469841
+ * Upated README.Debian to mention php5-gd instead of php5-gd2
+ and texlive-latex-base instead to tetex-bin.
+ Closes: #469558
+ * still setting urgency to high since previous upload didn't make it
+ to testing.
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:58:57 +0100
+
+mediawiki (1:1.11.2-1) unstable; urgency=high
+
+ * New upstream release
+ * Security fix:
+ "Possible cross-site information leaks using the callback
+ parameter for JSON-formatted results in the API are prevented by
+ dropping user credentials."
+ * Added informations on LocalSettings.php in README.Debian
+ Closes: #462609
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:16:27 +0100
+
+mediawiki (1:1.11.1-1) unstable; urgency=high
+
+ * New upstream release
+ * A potential XSS injection vector affecting
+ Microsoft Internet Explorer users has been
+ closed.
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 26 Jan 2008 02:57:53 +0100
+
+mediawiki (1:1.11.0-4) unstable; urgency=low
+
+ * Really add the patch for #459312
+ * Added also patch to fix #459617
+ Closes: #459617
+ * Merged two previous patches
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 18 Jan 2008 16:14:59 +0100
+
+mediawiki (1:1.11.0-3) unstable; urgency=low
+
+ * Really remove debian specific scripts
+ * Backported patch to fix unserialize with postgre
+ Closes: #459312
+ * Added finnish translation of the debconf templates, thanks to Esko
+ Arajärvi. Closes: #456983
+ * Updated standards to 3.7.3 (no changes)
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 07 Jan 2008 15:03:15 +0100
+
+mediawiki (1:1.11.0-2) unstable; urgency=low
+
+ * Initial upload of 1.11.0 to unstable
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 03 Nov 2007 16:39:47 +0100
+
+mediawiki (1:1.11.0-1) experimental; urgency=low
+
+ * Removed mediawikiX versioned packages
+ * Updated to mediawiki 1.11
+ * Removed automatic upgrade script
+ * Updated README.Debian (Closes: #442311, #442302)
+ * Changed default upload directory (Closes: #444445)
+
+ -- Romain Beauxis <toots at rastageeks.org> Sun, 21 Oct 2007 20:54:00 +0200
+
+mediawiki (1:1.10) unstable; urgency=low
+
+ * Switched to mediawiki1.10
+ * Mediawiki1.10 recommends mediawiki-math (Closes: #428021)
+
+ -- Romain Beauxis <toots at rastageeks.org> Tue, 10 Jul 2007 19:29:01 +0200
+
+mediawiki (1:1.9) unstable; urgency=low
+
+ * Switched to mediawiki1.9, closes: #392932
+ * Corrected typo in control, closes: #414121
+ * Seperated -math extension to a single package, closes: #401714
+
+ -- Romain Beauxis <toots at rastageeks.org> Thu, 12 Apr 2007 17:02:05 +0200
+
+mediawiki (1:1.7) unstable; urgency=low
+
+ * Initial Release
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 6 Nov 2006 15:36:44 +0100
Copied: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1578.patch (from rev 282, mediawiki/lenny/debian/patches/CVE-2011-1578.patch)
===================================================================
--- mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1578.patch (rev 0)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1578.patch 2011-12-18 23:44:13 UTC (rev 286)
@@ -0,0 +1,135 @@
+Description: cross-site scripting problem in IE <= 6 clients
+ Due to the diversity of uploaded files that we allow, MediaWiki does
+ not guarantee that uploaded files will be safe if they are interpreted
+ by the client as some arbitrary file type, such as HTML. We rely on
+ the web server to send the correct Content-Type header, and we rely on
+ the web browser to respect it. This XSS issue arises due to IE 6
+ looking for a file extension in the query string of the URL (i.e.
+ after the "?"), if no extension is found in path part of the URL.
+ Masato Kinugawa discovered that the file extension in the path part
+ can be hidden from IE 6 by substituting the "." with "%2E".
+Origin: upstream,r85844/r85849
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28235
+Last-Update: 2011-12-17
+
+--- /dev/null
++++ mediawiki-1.12.0/images/.htaccess
+@@ -0,0 +1,6 @@
++# Protect against bug 28235
++<IfModule rewrite_module>
++ RewriteEngine On
++ RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
++ RewriteRule . - [forbidden]
++</IfModule>
+--- mediawiki-1.12.0.orig/img_auth.php
++++ mediawiki-1.12.0/img_auth.php
+@@ -23,6 +23,13 @@
+ wfPublicError();
+ }
+
++// Check for bug 28235: QUERY_STRING overriding the correct extension
++if ( isset( $_SERVER['QUERY_STRING'] )
++ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++{
++ wfForbidden();
++}
++
+ // Extract path and image information
+ if( !isset( $_SERVER['PATH_INFO'] ) ) {
+ wfDebugLog( 'img_auth', 'Missing PATH_INFO' );
+--- mediawiki-1.12.0.orig/includes/RawPage.php
++++ mediawiki-1.12.0/includes/RawPage.php
+@@ -108,7 +108,7 @@
+ }
+
+ function view() {
+- global $wgOut, $wgScript;
++ global $wgOut, $wgScript, $wgRequest;
+
+ if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+ # Normally we use PHP_SELF to get the URL to the script
+@@ -126,7 +126,7 @@
+ $url = $_SERVER['PHP_SELF'];
+ }
+
+- if( strcmp( $wgScript, $url ) ) {
++ if( $wgRequest->isPathInfoBad() ) {
+ # Internet Explorer will ignore the Content-Type header if it
+ # thinks it sees a file extension it recognizes. Make sure that
+ # all raw requests are done through the script node, which will
+@@ -140,6 +140,7 @@
+ #
+ # Just return a 403 Forbidden and get it over with.
+ wfHttpError( 403, 'Forbidden',
++ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
+ 'Raw pages must be accessed through the primary script entry point.' );
+ return;
+ }
+--- mediawiki-1.12.0.orig/includes/WebRequest.php
++++ mediawiki-1.12.0/includes/WebRequest.php
+@@ -600,7 +600,50 @@
+ function setSessionData( $key, $data ) {
+ $_SESSION[$key] = $data;
+ }
+-
++
++ /**
++ * Returns true if the PATH_INFO ends with an extension other than a script
++ * extension. This could confuse IE for scripts that send arbitrary data which
++ * is not HTML but may be detected as such.
++ *
++ * Various past attempts to use the URL to make this check have generally
++ * run up against the fact that CGI does not provide a standard method to
++ * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0),
++ * but only by prefixing it with the script name and maybe some other stuff,
++ * the extension is not mangled. So this should be a reasonably portable
++ * way to perform this security check.
++ *
++ * Also checks for anything that looks like a file extension at the end of
++ * QUERY_STRING, since IE 6 and earlier will use this to get the file type
++ * if there was no dot before the question mark (bug 28235).
++ */
++ public function isPathInfoBad() {
++ global $wgScriptExtension;
++
++ if ( isset( $_SERVER['QUERY_STRING'] )
++ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++ {
++ // Bug 28235
++ // Block only Internet Explorer 6, and requests with missing UA
++ // headers that could be IE users behind a privacy proxy.
++ if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
++ || preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) )
++ {
++ return true;
++ }
++ }
++
++ if ( !isset( $_SERVER['PATH_INFO'] ) ) {
++ return false;
++ }
++ $pi = $_SERVER['PATH_INFO'];
++ $dotPos = strrpos( $pi, '.' );
++ if ( $dotPos === false ) {
++ return false;
++ }
++ $ext = substr( $pi, $dotPos );
++ return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) );
++ }
+ }
+
+ /**
+--- mediawiki-1.12.0.orig/api.php
++++ mediawiki-1.12.0/api.php
+@@ -54,9 +54,9 @@
+ } else {
+ $url = $_SERVER['PHP_SELF'];
+ }
+-if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
++if ( $wgRequest->isPathInfoBad() ) {
+ wfHttpError( 403, 'Forbidden',
+- 'API must be accessed through the primary script entry point.' );
++ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
+ return;
+ }
+
Copied: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1579.patch (from rev 282, mediawiki/lenny/debian/patches/CVE-2011-1579.patch)
===================================================================
--- mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1579.patch (rev 0)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1579.patch 2011-12-18 23:44:13 UTC (rev 286)
@@ -0,0 +1,81 @@
+Description: CSS validation error in wikitext parser
+ Wikipedia user Suffusion of Yellow discovered a CSS validation error
+ in the wikitext parser. This is an XSS issue for Internet Explorer
+ clients, and a privacy loss issue for other clients since it allows
+ the embedding of arbitrary remote images.
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85856
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28450
+Last-Update: 2011-12-17
+
+--- mediawiki-1.12.0.orig/includes/Sanitizer.php
++++ mediawiki-1.12.0/includes/Sanitizer.php
+@@ -650,28 +650,34 @@
+
+ /**
+ * Pick apart some CSS and check it for forbidden or unsafe structures.
+- * Returns a sanitized string, or false if it was just too evil.
++ * Returns a sanitized string. This sanitized string will have
++ * character references and escape sequences decoded, and comments
++ * stripped. If the input is just too evil, only a comment complaining
++ * about evilness will be returned.
+ *
+ * Currently URL references, 'expression', 'tps' are forbidden.
+ *
++ * NOTE: Despite the fact that character references are decoded, the
++ * returned string may contain character references given certain
++ * clever input strings. These character references must
++ * be escaped before the return value is embedded in HTML.
++ *
+ * @param string $value
+- * @return mixed
++ * @return string
+ */
+ static function checkCss( $value ) {
++ // Decode character references like {
+ $value = Sanitizer::decodeCharReferences( $value );
+
+- // Remove any comments; IE gets token splitting wrong
+- $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+-
+- // Remove anything after a comment-start token, to guard against
+- // incorrect client implementations.
+- $commentPos = strpos( $value, '/*' );
+- if ( $commentPos !== false ) {
+- $value = substr( $value, 0, $commentPos );
+- }
+-
+ // Decode escape sequences and line continuation
+ // See the grammar in the CSS 2 spec, appendix D.
++ // This has to be done AFTER decoding character references.
++ // This means it isn't possible for this function to return
++ // unsanitized escape sequences. It is possible to manufacture
++ // input that contains character references that decode to
++ // escape sequences that decode to character references, but
++ // it's OK for the return value to contain character references
++ // because the caller is supposed to escape those anyway.
+ static $decodeRegex, $reencodeTable;
+ if ( !$decodeRegex ) {
+ $space = '[\\x20\\t\\r\\n\\f]';
+@@ -687,6 +693,22 @@
+ }
+ $value = preg_replace_callback( $decodeRegex,
+ array( __CLASS__, 'cssDecodeCallback' ), $value );
++
++ // Remove any comments; IE gets token splitting wrong
++ // This must be done AFTER decoding character references and
++ // escape sequences, because those steps can introduce comments
++ // This step cannot introduce character references or escape
++ // sequences, because it replaces comments with spaces rather
++ // than removing them completely.
++ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
++
++ // Remove anything after a comment-start token, to guard against
++ // incorrect client implementations.
++ $commentPos = strpos( $value, '/*' );
++ if ( $commentPos !== false ) {
++ $value = substr( $value, 0, $commentPos );
++ }
++
+ // Reject problematic keywords and control characters
+ if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
+ return '/* invalid control char */';
Copied: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1580.patch (from rev 282, mediawiki/lenny/debian/patches/CVE-2011-1580.patch)
===================================================================
--- mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1580.patch (rev 0)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1580.patch 2011-12-18 23:44:13 UTC (rev 286)
@@ -0,0 +1,52 @@
+Description: access control check on transwiki import feature
+ The transwiki import feature is disabled by default. If it is enabled,
+ it allows wiki pages to be copied from a remote wiki listed in
+ $wgImportSources. The issue means that any user can trigger such an
+ import to occur.
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85099
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28449
+Last-Update: 2011-12-17
+
+--- mediawiki-1.12.0.orig/includes/Title.php
++++ mediawiki-1.12.0/includes/Title.php
+@@ -1055,7 +1055,14 @@
+ $errors[] = array( 'confirmedittext' );
+ }
+
+- if ( $user->isBlockedFrom( $this ) ) {
++ if ( in_array( $action, array( 'read', 'createaccount', 'unblock' ) ) ){
++ // Edit blocks should not affect reading.
++ // Account creation blocks handled at userlogin.
++ // Unblocking handled in SpecialUnblock
++ } elseif( ( $action == 'edit' || $action == 'create' ) && !$user->isBlockedFrom( $this ) ){
++ // Don't block the user from editing their own talk page unless they've been
++ // explicitly blocked from that too.
++ } elseif( $user->isBlocked() && $user->mBlock->prevents( $action ) !== false ) {
+ $block = $user->mBlock;
+
+ // This is from OutputPage::blockedPage
+--- mediawiki-1.12.0.orig/includes/SpecialImport.php
++++ mediawiki-1.12.0/includes/SpecialImport.php
+@@ -39,6 +39,22 @@
+ return;
+ }
+
++ if( !$wgUser->isAllowedAny( 'import', 'importupload' ) ) {
++ return $wgOut->permissionRequired( 'import' );
++ }
++
++ # TODO: allow Title::getUserPermissionsErrors() to take an array
++ # FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what
++ # getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected'
++ $errors = wfMergeErrorArrays(
++ $this->getTitle()->getUserPermissionsErrors( 'import', $wgUser, true, array( 'ns-specialprotected' ) ),
++ $this->getTitle()->getUserPermissionsErrors( 'importupload', $wgUser, true, array( 'ns-specialprotected' ) )
++ );
++ if( $errors ){
++ $wgOut->showPermissionsErrorPage( $errors );
++ return;
++ }
++
+ if( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit') {
+ $isUpload = false;
+ $namespace = $wgRequest->getIntOrNull( 'namespace' );
Copied: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1587.patch (from rev 282, mediawiki/lenny/debian/patches/CVE-2011-1587.patch)
===================================================================
--- mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1587.patch (rev 0)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-1587.patch 2011-12-18 23:44:13 UTC (rev 286)
@@ -0,0 +1,37 @@
+Description: fix insufficient patch for CVE-2011-1578
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=86027
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28507
+Last-Update: 2011-12-17
+
+--- mediawiki-1.12.0.orig/images/.htaccess
++++ mediawiki-1.12.0/images/.htaccess
+@@ -1,6 +1,6 @@
+ # Protect against bug 28235
+ <IfModule rewrite_module>
+ RewriteEngine On
+- RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
++ RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
+ RewriteRule . - [forbidden]
+ </IfModule>
+--- mediawiki-1.12.0.orig/img_auth.php
++++ mediawiki-1.12.0/img_auth.php
+@@ -25,7 +25,7 @@
+
+ // Check for bug 28235: QUERY_STRING overriding the correct extension
+ if ( isset( $_SERVER['QUERY_STRING'] )
+- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+ {
+ wfForbidden();
+ }
+--- mediawiki-1.12.0.orig/includes/WebRequest.php
++++ mediawiki-1.12.0/includes/WebRequest.php
+@@ -621,7 +621,7 @@
+ global $wgScriptExtension;
+
+ if ( isset( $_SERVER['QUERY_STRING'] )
+- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+ {
+ // Bug 28235
+ // Block only Internet Explorer 6, and requests with missing UA
Deleted: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4360.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-4360.patch 2011-12-01 12:38:40 UTC (rev 272)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4360.patch 2011-12-18 23:44:13 UTC (rev 286)
@@ -1,31 +0,0 @@
-Description: CVE-2011-4360
- Alexandre Emsenhuber discovered an issue where page titles on private
- wikis could be exposed bypassing different page ids to index.php. In the
- case of the user not having correct permissions, they will now be
- redirected to Special:BadTitle.
-Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
-Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
-Bug-Debian: http://bugs.debian.org/650434
-Forwarded: not-needed
-Last-Update: 2011-11-30
-
-
---- mediawiki-1.15.5.orig/includes/Wiki.php
-+++ mediawiki-1.15.5/includes/Wiki.php
-@@ -149,6 +149,16 @@
- # the Read array in order for the user to see it. (We have to check here to
- # catch special pages etc. We check again in Article::view())
- if( !is_null( $title ) && !$title->userCanRead() ) {
-+ // Bug 32276: allowing the skin to generate output with $wgTitle
-+ // set to the input title would allow anonymous users to
-+ // determine whether a page exists, potentially leaking private data. In fact, the
-+ // curid and oldid request parameters would allow page titles to be enumerated even
-+ // when they are not guessable. So we reset the title to Special:Badtitle before the
-+ // permissions error is displayed.
-+ $badtitle = SpecialPage::getTitleFor( 'Badtitle' );
-+ $output->setTitle( $badtitle );
-+ $wgTitle = $badtitle;
-+
- $output->loginToUse();
- $output->output();
- $output->disable();
Copied: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4360.patch (from rev 273, mediawiki/lenny/debian/patches/CVE-2011-4360.patch)
===================================================================
--- mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4360.patch (rev 0)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4360.patch 2011-12-18 23:44:13 UTC (rev 286)
@@ -0,0 +1,31 @@
+Description: CVE-2011-4360
+ Alexandre Emsenhuber discovered an issue where page titles on private
+ wikis could be exposed bypassing different page ids to index.php. In the
+ case of the user not having correct permissions, they will now be
+ redirected to Special:BadTitle.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+
+--- mediawiki-1.12.0.orig/includes/Wiki.php
++++ mediawiki-1.12.0/includes/Wiki.php
+@@ -123,6 +123,16 @@
+ # the Read array in order for the user to see it. (We have to check here to
+ # catch special pages etc. We check again in Article::view())
+ if ( !is_null( $title ) && !$title->userCanRead() ) {
++ // Bug 32276: allowing the skin to generate output with $wgTitle
++ // set to the input title would allow anonymous users to
++ // determine whether a page exists, potentially leaking private data. In fact, the
++ // curid and oldid request parameters would allow page titles to be enumerated even
++ // when they are not guessable. So we reset the title to Special:Badtitle before the
++ // permissions error is displayed.
++ $badtitle = SpecialPage::getTitleFor( 'Badtitle' );
++ $output->setTitle( $badtitle );
++ $wgTitle = $badtitle;
++
+ $output->loginToUse();
+ $output->output();
+ exit;
Deleted: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4361.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-4361.patch 2011-12-01 12:38:40 UTC (rev 272)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4361.patch 2011-12-18 23:44:13 UTC (rev 286)
@@ -1,35 +0,0 @@
-Description: CVE-2011-4361
- Tim Starling discovered that action=ajax requests were dispatched to the
- relevant function without any read permission checks being done.
- This could have led to data leakage on private wikis.
-Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
-Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
-Bug-Debian: http://bugs.debian.org/650434
-Forwarded: not-needed
-Last-Update: 2011-11-30
-
---- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php
-+++ mediawiki-1.15.5/includes/AjaxDispatcher.php
-@@ -78,7 +78,7 @@
- * request.
- */
- function performAction() {
-- global $wgAjaxExportList, $wgOut;
-+ global $wgAjaxExportList, $wgOut, $wgUser;
-
- if ( empty( $this->mode ) ) {
- return;
-@@ -90,6 +90,13 @@
-
- wfHttpError( 400, 'Bad Request',
- "unknown function " . (string) $this->func_name );
-+ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
-+ && !$wgUser->isAllowed( 'read' ) )
-+ {
-+ wfHttpError(
-+ 403,
-+ 'Forbidden',
-+ 'You must log in to view pages.' );
- } else {
- wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
-
Copied: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4361.patch (from rev 273, mediawiki/lenny/debian/patches/CVE-2011-4361.patch)
===================================================================
--- mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4361.patch (rev 0)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/CVE-2011-4361.patch 2011-12-18 23:44:13 UTC (rev 286)
@@ -0,0 +1,35 @@
+Description: CVE-2011-4361
+ Tim Starling discovered that action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done.
+ This could have led to data leakage on private wikis.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+--- mediawiki-1.12.0.orig/includes/AjaxDispatcher.php
++++ mediawiki-1.12.0/includes/AjaxDispatcher.php
+@@ -73,7 +73,7 @@
+ * request.
+ */
+ function performAction() {
+- global $wgAjaxExportList, $wgOut;
++ global $wgAjaxExportList, $wgOut, $wgUser;
+
+ if ( empty( $this->mode ) ) {
+ return;
+@@ -83,6 +83,13 @@
+ if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
+ wfHttpError( 400, 'Bad Request',
+ "unknown function " . (string) $this->func_name );
++ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
++ && !$wgUser->isAllowed( 'read' ) )
++ {
++ wfHttpError(
++ 403,
++ 'Forbidden',
++ 'You must log in to view pages.' );
+ } else {
+ if ( strpos( $this->func_name, '::' ) !== false ) {
+ $func = explode( '::', $this->func_name, 2 );
Deleted: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series 2011-12-01 12:38:40 UTC (rev 272)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/series 2011-12-18 23:44:13 UTC (rev 286)
@@ -1,17 +0,0 @@
-texvc_location.patch
-mimetypes.patch
-debian_specific_config.patch
-fix_postgre.patch
-CVE-2008-4408.patch
-CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch
-1.12.4-security.patch
-CSS-no-CVE_rev-63429.patch
-DataLeakage-no-CVE_rev-63436.patch
-1.15.3-security.patch
-1.15.4-userlogin-security.patch
-1.15.4-css-security.patch
-1.15.5-profileinfo-security.patch
-CVE-2011-0003.patch
-CVE-2011-0047.patch
-CVE-2011-4360.patch
-CVE-2011-4361.patch
Copied: mediawiki/tags/1:1.12.0-2lenny9/debian/patches/series (from rev 281, mediawiki/lenny/debian/patches/series)
===================================================================
--- mediawiki/tags/1:1.12.0-2lenny9/debian/patches/series (rev 0)
+++ mediawiki/tags/1:1.12.0-2lenny9/debian/patches/series 2011-12-18 23:44:13 UTC (rev 286)
@@ -0,0 +1,21 @@
+texvc_location.patch
+mimetypes.patch
+debian_specific_config.patch
+fix_postgre.patch
+CVE-2008-4408.patch
+CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch
+1.12.4-security.patch
+CSS-no-CVE_rev-63429.patch
+DataLeakage-no-CVE_rev-63436.patch
+1.15.3-security.patch
+1.15.4-userlogin-security.patch
+1.15.4-css-security.patch
+1.15.5-profileinfo-security.patch
+CVE-2011-0003.patch
+CVE-2011-0047.patch
+CVE-2011-1578.patch
+CVE-2011-1579.patch
+CVE-2011-1580.patch
+CVE-2011-1587.patch
+CVE-2011-4360.patch
+CVE-2011-4361.patch
More information about the Pkg-mediawiki-commits
mailing list