[Pkg-mediawiki-devel] Bug#773654: mediawiki: Security issue: thumb.php outputs wikitext message as raw HTML
Sebastien Delafond
seb at debian.org
Sun Dec 21 15:55:29 UTC 2014
Package: mediawiki
Version: 1:1.19.20+dfsg-2.1
Severity: important
Tags: upstream patch
>From upstream bug T76686 (still not public): thumb.php outputs
wikitext message as raw HTML, which could lead to xss. Permission to
edit MediaWiki namespace is required to exploit this.
The upstream patch fixing this is at
https://github.com/wikimedia/mediawiki/commit/fdd3f464ef9aa7f3276a2a8dddc85e3769cfda83,
and I have uploaded 1:1.19.20+dfsg-2.2 to DELAYED/2, that includes
it. The corresponding debdiff is included at the end of this email.
Cheers,
--Seb
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500, 'oldstable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Pkg-mediawiki-devel
mailing list