[Pkg-mediawiki-devel] Request upload permit for mediawiki (1:1.19.16+dfsg-0+deb7u1) wheezy-security

Thorsten Glaser t.glaser at tarent.de
Wed Jun 11 14:54:38 UTC 2014 

tags 748941 + pending
thanks

Dear stable-security maintainers,

I’m requesting upload permission for another mediawiki upstream
version (security and maintenance release) fixing CVE-2014-3966,
along with packaging fixes (RC bug #748941) and janitorial fixes
(update debian/upstream/signing-key.asc; add debian/source/options
to get *.debian.tar.gz files for wheezy even when packaging on sid).

The full and complete debdiff between the current version in
stable-security and the proposed upload is small enough to be
inlined below:

diff -Nru mediawiki-1.19.15+dfsg/RELEASE-NOTES-1.19 mediawiki-1.19.16+dfsg/RELEASE-NOTES-1.19
--- mediawiki-1.19.15+dfsg/RELEASE-NOTES-1.19	2014-04-02 21:03:49.000000000 +0200
+++ mediawiki-1.19.16+dfsg/RELEASE-NOTES-1.19	2014-05-29 20:01:57.000000000 +0200
@@ -3,6 +3,15 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.19.16 ==
+
+This is a security release of the MediaWiki 1.19 branch.
+
+=== Changes since 1.19.15 ===
+
+* (bug 65501) SECURITY: Don't parse usernames as wikitext on
+  Special:PasswordReset.
+
 == MediaWiki 1.19.15 ==
 
 This is a maintenance release of the MediaWiki 1.19 branch.
diff -Nru mediawiki-1.19.15+dfsg/debian/changelog mediawiki-1.19.16+dfsg/debian/changelog
--- mediawiki-1.19.15+dfsg/debian/changelog	2014-04-03 10:27:26.000000000 +0200
+++ mediawiki-1.19.16+dfsg/debian/changelog	2014-06-11 16:44:06.000000000 +0200
@@ -1,3 +1,13 @@
+mediawiki (1:1.19.16+dfsg-0+deb7u1) wheezy-security; urgency=medium
+
+  * New upstream security and maintenance release:
+    - CVE-2014-3966 (bug 65501) SECURITY: Don't parse usernames as
+      wikitext on Special:PasswordReset.
+  * Update debian/upstream/signing-key.asc
+  * Conflicts: mediawiki-classes (Closes: #748941)
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Wed, 11 Jun 2014 16:42:23 +0200
+
 mediawiki (1:1.19.15+dfsg-0+deb7u1) wheezy-security; urgency=medium
 
   * New upstream security and maintenance release:
diff -Nru mediawiki-1.19.15+dfsg/debian/control mediawiki-1.19.16+dfsg/debian/control
--- mediawiki-1.19.15+dfsg/debian/control	2014-02-10 09:35:47.000000000 +0100
+++ mediawiki-1.19.16+dfsg/debian/control	2014-05-13 19:48:17.000000000 +0200
@@ -25,6 +25,7 @@
  mediawiki-extensions-graphviz (<< 2.8~),
  mediawiki-extensions (<< 2.8~)
 Conflicts: mediawiki-extensions-base (<< 3.5~),
+ mediawiki-classes,
  mediawiki-extensions-confirmedit
 Replaces: mediawiki-extensions-confirmedit
 Description: website engine for collaborative work
diff -Nru mediawiki-1.19.15+dfsg/debian/source/options mediawiki-1.19.16+dfsg/debian/source/options
--- mediawiki-1.19.15+dfsg/debian/source/options	1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.16+dfsg/debian/source/options	2014-03-28 14:14:51.000000000 +0100
@@ -0,0 +1,2 @@
+compression = "gzip"
+compression-level = 9
diff -Nru mediawiki-1.19.15+dfsg/debian/upstream/signing-key.asc mediawiki-1.19.16+dfsg/debian/upstream/signing-key.asc
--- mediawiki-1.19.15+dfsg/debian/upstream/signing-key.asc	2014-03-28 10:23:18.000000000 +0100
+++ mediawiki-1.19.16+dfsg/debian/upstream/signing-key.asc	2014-06-11 16:28:18.000000000 +0200
@@ -270,3 +270,33 @@
 =f8Nf
 -----END PGP PUBLIC KEY BLOCK-----
 
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.13 (MingW32)
+
+mQENBFM0SiIBCADvlDdkeZhR6IkRQLQMMaZBciSgQfCHi10eZ+87FyWCe32wvlkt
+ineuss+cg0BltvdiVkc3uJl5RmJJv8paGvdlsPeZOGfoBUiFt6TajtumPnp4amU8
+wvhaPZ0pN/nz2QVQuUlR4Jet57ienQDPOETnmrRrCJVqYVdQqV5TQEB5NkVyV2qx
+MAKXMEIzLgcOffYbgLedHdDIock9r2DowlKUQtNozUTQoSOnCwkQFrahPosWLkYB
+7CKHnoeRmXtNdWenbFUhvnirSXbsHLmvlapilNDfQXil95YHTrQikphCcNf9Z4mK
+0TpCpl79Fb79GiDTmuZd5GkEYZRVytG3tHyVABEBAAG0JE1hcmt1cyBHbGFzZXIg
+PGdsYXNlckBoYWxsb3dlbHQuYml6PokBPgQTAQIAKAUCUzRKIgIbAwUJCWYBgAYL
+CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQlGsCVl3ACqcaHAgA1Ak3YE6qmcTA
+Hnqz7N35HbP95Xv9xU3Daw2XrxC5lFlQFR/vW4Pe9gPnUyH5d+cQZbOw6AJI7QCp
+kd5Y1sNXbW5L4TGr5QbyaC7QBlnhHchlNNDYO4f/W4vN4Dofphzs0P0GqQI0Qk9+
+tUOxzUejZS1CrvNJbzJZWTRwleQ1HG4uXaFJv+viiNdkVi2u1/5CBtqTWc66QNEg
+WFL16PI2Wla+ClCkjYE2Q2H+Rm0FQf1szZuSeNtf6Q+01zYaAvpf+7Tl8IAJxFgL
+HdE5Z4aOet6F8VU2cUp8KTV5JIUwrDkJ/SUMHVBTdbHblGDUh4YOjAYdjz6zbjNW
+KPvZ+GQ54LkBDQRTNEoiAQgAwlrZ5aPGFrKUFoex3nYVXY3z+5f/zvC30530wDZU
+sBRuTY6ZlFs3Z/7FD8GecJnq9iY2eSLY7ED3IzNqnfObGX9tejpZMhxn7K5Kp98l
+JFw8wLU1CYz1j2demmX6hQokH/ji/joiSmb0tV38v7X7lRk4warY1mlSA0jwAgzI
++MvrLk4bepu3Q+bFXL9m+M/GXcPxRx00uWdvy3uR6Z6L2q7iZWcinFMWfKxb2Y8j
+ELHj7iqMbqkaLjyKWNtPHP49D6tG1flSFc68bxKE8mOBQ20ntLQrYrOXk/o11Lux
+UlkutTpAePxYMvC5sooldiJ6vgETK5JhyPiegTREoexGgwARAQABiQElBBgBAgAP
+BQJTNEoiAhsMBQkJZgGAAAoJEJRrAlZdwAqnjA4H/i07dFJTDg61T+UeF1nw3XZT
+CpcKLC25ukVfm4Wuh9BT177DzH5ToInrP32ha9FCCC4LoXVaRxGgNLvZfhNCNcHZ
+jCVYAFBmzRWh8lE7okFhhyaX9Ta31oJpo9hOWCy9MNHJITx0YgDlUc0fFb3rodH+
+QeLikkASSuJ5deLaPjDVL6IiiUS+UzhCiU1YE1rPm9co8atJDNZGGbVdZ2dbr5ox
+cuxVGndtnTXP+onv6Hbaf/ppMYxdwiLSwMSIEOQoVEXumJHW+G2Qq7ROrZmZUasf
+9AWnFoBvSo9zXpbgedVaAr1Vk+i/UALTtAjfJ2OH3bJswJfFzbunGoOYxDIc+8I=
+=vhcr
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff -Nru mediawiki-1.19.15+dfsg/includes/DefaultSettings.php mediawiki-1.19.16+dfsg/includes/DefaultSettings.php
--- mediawiki-1.19.15+dfsg/includes/DefaultSettings.php	2014-04-02 21:03:49.000000000 +0200
+++ mediawiki-1.19.16+dfsg/includes/DefaultSettings.php	2014-05-29 20:01:57.000000000 +0200
@@ -33,7 +33,7 @@
 /** @endcond */
 
 /** MediaWiki version number */
-$wgVersion = '1.19.15';
+$wgVersion = '1.19.16';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename = 'MediaWiki';
diff -Nru mediawiki-1.19.15+dfsg/includes/specials/SpecialPasswordReset.php mediawiki-1.19.16+dfsg/includes/specials/SpecialPasswordReset.php
--- mediawiki-1.19.15+dfsg/includes/specials/SpecialPasswordReset.php	2014-04-02 21:03:49.000000000 +0200
+++ mediawiki-1.19.16+dfsg/includes/specials/SpecialPasswordReset.php	2014-05-29 20:01:57.000000000 +0200
@@ -187,7 +187,8 @@
 		$firstUser = $users[0];
 
 		if ( !$firstUser instanceof User || !$firstUser->getID() ) {
-			return array( array( 'nosuchuser', $data['Username'] ) );
+			// Don't parse username as wikitext (bug 65501)
+			return array( array( 'nosuchuser', wfEscapeWikiText( $data['Username'] ) ) );
 		}
 
 		// Check against the rate limiter
@@ -210,7 +211,7 @@
 		// All the users will have the same email address
 		if ( $firstUser->getEmail() == '' ) {
 			// This won't be reachable from the email route, so safe to expose the username
-			return array( array( 'noemail', $firstUser->getName() ) );
+			return array( array( 'noemail', wfEscapeWikiText( $firstUser->getName() ) ) );
 		}
 
 		// We need to have a valid IP address for the hook, but per bug 18347, we should


Thanks,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

More information about the Pkg-mediawiki-devel mailing list