[Pkg-mediawiki-commits] r415 - in mediawiki-extensions/branches/wheezy/debian: . patches

Thorsten Glaser tg at alioth.debian.org
Sat Dec 29 19:13:30 UTC 2012 

Author: tg
Date: 2012-12-29 19:13:29 +0000 (Sat, 29 Dec 2012)
New Revision: 415

Modified:
   mediawiki-extensions/branches/wheezy/debian/changelog
   mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch
Log:
prepare for upload, with changed RSS_Reader version number

- still no CVE ID yet
- I will change the code on the MW website and then
  rebase our patches against that, but only in the
  trunk, not in the wheezy branch, to ease review
- jmw will write a DSA


Modified: mediawiki-extensions/branches/wheezy/debian/changelog
===================================================================
--- mediawiki-extensions/branches/wheezy/debian/changelog	2012-12-19 13:30:24 UTC (rev 414)
+++ mediawiki-extensions/branches/wheezy/debian/changelog	2012-12-29 19:13:29 UTC (rev 415)
@@ -1,3 +1,12 @@
+mediawiki-extensions (2.11) unstable; urgency=medium
+
+  * RSS_Reader: correctly sanitise the message body as well,
+    fixes another injection and HTML validity (the bodies are
+    not normally shown though, so only medium urgency); same
+    as 2.10; no CVE identifier yet (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Sat, 29 Dec 2012 19:12:39 +0100
+
 mediawiki-extensions (2.10) unstable; urgency=high
 
   * RSS_Reader: fix Javascript injection (Closes: #696179)

Modified: mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch
===================================================================
--- mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch	2012-12-19 13:30:24 UTC (rev 414)
+++ mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch	2012-12-29 19:13:29 UTC (rev 415)
@@ -16,13 +16,17 @@
 Also add documentation of these changes as README.Debian and point to
 upstream's documentation in form of a wikipage.
 
+Bump the version to 0.2.6 to denote fixing the RSS title and body
+input sanitisation vulnerability, but do not rebase against the new
+upstream version to keep the diff small.
+
 --- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
 +++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
 @@ -22,10 +22,11 @@ if ( !defined('MEDIAWIKI') ) {
  }
  
  $wgExtensionFunctions[] = 'efRSSReader';
-+$wgRSSReaderExtVersion = '0.2.5';
++$wgRSSReaderExtVersion = '0.2.6';
  
  $wgExtensionCredits['parserhook'][] = array(
  	'name' => 'RSS Reader',

More information about the Pkg-mediawiki-commits mailing list