[Pkg-mediawiki-devel] Bug#332408: marked as done (mediawiki: Multiple vulnerabilities in Mediawiki)

Debian Bug Tracking System owner at bugs.debian.org
Thu Oct 6 23:33:20 UTC 2005


Your message dated Thu, 06 Oct 2005 16:17:07 -0700
with message-id <E1ENez5-0007lI-00 at spohr.debian.org>
and subject line Bug#332408: fixed in mediawiki 1.4.11-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Oct 2005 09:36:37 +0000
>From jmm at inutil.org Thu Oct 06 02:36:37 2005
Return-path: <jmm at inutil.org>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1ENSB2-0004ZZ-00; Thu, 06 Oct 2005 02:36:37 -0700
Received: from wlan-client-027.informatik.uni-bremen.de ([134.102.116.28] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1ENSAy-0007PK-BP
	for submit at bugs.debian.org; Thu, 06 Oct 2005 11:36:32 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.53)
	id 1ENSC0-00025F-0F; Thu, 06 Oct 2005 11:37:36 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm at inutil.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: mediawiki: Multiple vulnerabilities in Mediawiki
X-Mailer: reportbug 3.17
Date: Thu, 06 Oct 2005 11:37:35 +0200
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Message-Id: <E1ENSC0-00025F-0F at localhost.localdomain>
X-SA-Exim-Connect-IP: 134.102.116.28
X-SA-Exim-Mail-From: jmm at inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: mediawiki
Severity: grave
Tags: security
Justification: user security hole

1.4.11 fixes two security problems:

CAN-2005-3167:
Incomplete blacklist vulnerability in MediaWiki before 1.4.11 does not
properly remove certain CSS inputs (HTML inline style attributes) that
are processed as active content by Internet Explorer, which allows remote
attackers to conduct cross-site scripting (XSS) attacks.

CAN-2005-3166:
Unspecified vulnerability in "edit submission handling" for MediaWiki
1.4.x before 1.4.10 and 1.3.x before 1.3.16 allows remote attackers to
cause a denial of service (corruption of the previous submission) via a
crafted URL.                                                                         |

Please mention these CVE assignments when you provide a fixed package.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)

---------------------------------------
Received: (at 332408-close) by bugs.debian.org; 6 Oct 2005 23:18:52 +0000
>From katie at spohr.debian.org Thu Oct 06 16:18:52 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1ENez5-0007lI-00; Thu, 06 Oct 2005 16:17:07 -0700
From: Romain Beauxis <toots at rastageeks.org>
To: 332408-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#332408: fixed in mediawiki 1.4.11-1
Message-Id: <E1ENez5-0007lI-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Thu, 06 Oct 2005 16:17:07 -0700
Delivered-To: 332408-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 9

Source: mediawiki
Source-Version: 1.4.11-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.4.11-1_i386.deb
  to pool/main/m/mediawiki/mediawiki-math_1.4.11-1_i386.deb
mediawiki_1.4.11-1.diff.gz
  to pool/main/m/mediawiki/mediawiki_1.4.11-1.diff.gz
mediawiki_1.4.11-1.dsc
  to pool/main/m/mediawiki/mediawiki_1.4.11-1.dsc
mediawiki_1.4.11-1_all.deb
  to pool/main/m/mediawiki/mediawiki_1.4.11-1_all.deb
mediawiki_1.4.11.orig.tar.gz
  to pool/main/m/mediawiki/mediawiki_1.4.11.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 332408 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <toots at rastageeks.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  6 Oct 2005 13:13:25 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all i386
Version: 1.4.11-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel at lists.alioth.debian.org>
Changed-By: Romain Beauxis <toots at rastageeks.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 330904 330905 331349 331417 331466 332024 332268 332405 332408
Changes: 
 mediawiki (1.4.11-1) unstable; urgency=high
 .
   * New upstream security release.
   * Fix for CAN-2005-3167 and CAN-2005-3166 in new upstream (Closes: #332408)
   * Added translations files. Thanks to all contributors! (Closes: #330904,
     #330905, #331349, #331466, #332405)
   * Corrected Maintainer name (Closes: #332268)
   * Added link to MediaWiki installation how-to and MediaWiki Editing Help
     in README.Debian (Closes: #331417)
   * Added dependy | debconf-2.0 (Closes: #332024)
   * Changed 'arch:any' for mediawiki-math: should only be built on arch
     where ocaml compiler is present.
Files: 
 78f330e484e1b3e82dd5b70d54039824 887 web optional mediawiki_1.4.11-1.dsc
 e70b6c6fbc0e6de522f72680176c3917 1982489 web optional mediawiki_1.4.11.orig.tar.gz
 65f330f1195b6abb214b0cdde31b32a2 9603 web optional mediawiki_1.4.11-1.diff.gz
 264af70f45cf98323405c82edfc3d8aa 1941332 web optional mediawiki_1.4.11-1_all.deb
 4009981b28ac8db56cfc5f69c62504e2 113378 web optional mediawiki-math_1.4.11-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDRapQsczZcpAmcIYRAp9vAJ4hOCqcOINn6q061twBod7Xb4IXaACgp4Ai
8Zv3RUEfC34Z14/LFhUB48Y=
=+W5F
-----END PGP SIGNATURE-----




More information about the Pkg-mediawiki-devel mailing list