[Pkg-mediawiki-devel] Bug#677895: Bug#677895: CVE-2012-2698: unescaped lang and dir

Platonides platonides at gmail.com
Sun Jun 17 17:25:59 UTC 2012

On 17/06/12 17:01, Luk Claes wrote:
> Package: mediawiki
> Severity: important
> Tags: security
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for mediawiki.
> CVE-2012-2698
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

No need to patch it. Debian got lucky here by using a 3 years old
branch. The language code output in the skin was introduced in r49331
and 1.15 had been branched two weeks before on r49331.

Even then, the first affected version seem to have been in 1.17,
introduced in r81340 just after the fix for bug 27094 (CVE-2011-0537)
--not backported to debian since it's Windows-specific

The only thing to do is to replace at experimental 1.19.0 with 1.19.1
Jonathan, you said you had prepared 1.19.1, can you push it?

More information about the Pkg-mediawiki-devel mailing list