[Pkg-mediawiki-devel] Bug#773654: mediawiki: Security issue: thumb.php outputs wikitext message as raw HTML

Sebastien Delafond seb at debian.org
Sun Dec 21 15:55:29 UTC 2014

Package: mediawiki
Version: 1:1.19.20+dfsg-2.1
Severity: important
Tags: upstream patch

>From upstream bug T76686 (still not public): thumb.php outputs
wikitext message as raw HTML, which could lead to xss. Permission to
edit MediaWiki namespace is required to exploit this.

The upstream patch fixing this is at
and I have uploaded 1:1.19.20+dfsg-2.2 to DELAYED/2, that includes
it. The corresponding debdiff is included at the end of this email.



-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500, 'oldstable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

More information about the Pkg-mediawiki-devel mailing list