[Pkg-mediawiki-devel] Bug#716884: mediawiki: /usr/share/mediawiki/images points to /var/lib/mediawiki/images without security in mediawiki.conf

Mason Loring Bliss mason at blisses.org
Sun Jul 14 02:06:32 UTC 2013


Package: mediawiki
Version: 1:1.19.5-1
Severity: normal

Dear Maintainer,

MediaWiki config reports a vulnerability for /usr/share/mediawiki/images,
the default upload directory. The file /etc/mediawiki/apache.conf has
settings for /var/lib/mediawiki/upload, which doesn't exist, but does
not have settings for /var/lib/mediawiki/images.

Adding the following allowed MediaWiki to proceed without noting a
vulnerability:

<Directory /var/lib/mediawiki/images>
        Options -FollowSymLinks
        AllowOverride None
        php_admin_flag engine off
</Directory>

-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mediawiki depends on:
ii  apache2                      2.2.22-13
ii  apache2-mpm-prefork [httpd]  2.2.22-13
ii  debconf [debconf-2.0]        1.5.49
ii  libjs-jquery                 1.7.2+dfsg-1
ii  libjs-jquery-cookie          6-1
ii  libjs-jquery-form            6-1
ii  libjs-jquery-tipsy           6-1
ii  mime-support                 3.52-1
ii  php5                         5.4.4-14+deb7u2
ii  php5-mysql                   5.4.4-14+deb7u2

Versions of packages mediawiki recommends:
ii  mediawiki-extensions-base  2.11
ii  mysql-server               5.5.31+dfsg-0+wheezy1
ii  php-wikidiff2              0.0.1+svn109581-1
ii  php5-cli                   5.4.4-14+deb7u2
ii  python                     2.7.3-4

Versions of packages mediawiki suggests:
pn  clamav          <none>
ii  imagemagick     8:6.7.7.10-5
pn  mediawiki-math  <none>
pn  memcached       <none>

-- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]

-- debconf information:
* mediawiki/webserver: apache2



More information about the Pkg-mediawiki-devel mailing list