Bug#514547: marked as done (mediawiki: new upstream release, fixes security issues in the installer)

[Debian Bug Tracking System]

Your message dated Sat, 11 Apr 2009 16:47:31 +0000
with message-id <e1lsgmd-0001vq...@ries.debian.org>
and subject line Bug#514547: fixed in mediawiki 1:1.12.0-2lenny3
has caused the Debian Bug report #514547,
regarding mediawiki: new upstream release, fixes security issues in the 
installer
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
514547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mediawiki
Version: 1:1.12.0-2lenny3
Severity: grave
Tags: security
Justification: user security hole


        Hi all !

A new upstream release of mediawiki was done in order to fix security 
issues in the installer:

"This is a security release of 1.13.4, 1.12.4 and 1.6.12.

A number of cross-site scripting (XSS) security vulnerabilities were
discovered in the web-based installer (config/index.php). These vulnerabilities 
all
require a live installer -- once the installer has been used to
install a wiki, it is deactivated.

Note that cross-site scripting vulnerabilities can be used to attack
any website in the same cookie domain. So if you have an uninstalled copy of
MediaWiki on the same site as an active web service, MediaWiki could be used to
attack the active service.

If you are hosting an old copy of MediaWiki that you have never
installed, we advise you to remove it from the web.

Additionally, we are releasing 1.14.0rc1, the first release candidate
of the 2009 Q1 branch. Brave souls are encouraged to download it and
try it out.

Note that we have disabled SQLite installation in 1.14, due to the
incompleteness of the implementation. We intend to restore it in 1.15.
We're not sure how many people are using SQLite, so contact us if our
treatment of it is causing you problems."

I have already imported the patch in the lenny/ branch on the SVN[1], but I 
have absolutely 
no time to do serious testings, so any interested contributor would be much 
welcome :)


Romain

[1]: svn{+ssh}://svn.debian.org/svn/pkg-mediawiki/mediawiki/lenny

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mediawiki depends on:
ii  apache2-mpm-worker [httpd 2.2.11-1       Apache HTTP Server - high speed th
ii  debconf [debconf-2.0]     1.5.24         Debian configuration management sy
ii  mime-support              3.44-1         MIME files 'mime.types' & 'mailcap
ii  php5                      5.2.6.dfsg.1-2 server-side, HTML-embedded scripti
ii  php5-mysql                5.2.6.dfsg.1-2 MySQL module for php5

Versions of packages mediawiki recommends:
ii  mysql-server-5.0 [mysql-s 5.0.67-1       MySQL database server binaries
ii  php5-cli                  5.2.6.dfsg.1-2 command-line interpreter for the p

Versions of packages mediawiki suggests:
pn  clamav        <none>                     (no description available)
ii  imagemagick   7:6.3.7.9.dfsg1-2.1+lenny1 image manipulation programs
pn  mediawiki-mat <none>                     (no description available)
pn  memcached     <none>                     (no description available)

-- debconf information:
  mediawiki/webserver: apache2

--- End Message ---

--- Begin Message ---

Source: mediawiki
Source-Version: 1:1.12.0-2lenny3

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.12.0-2lenny3_amd64.deb
  to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny3_amd64.deb
mediawiki_1.12.0-2lenny3.diff.gz
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3.diff.gz
mediawiki_1.12.0-2lenny3.dsc
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3.dsc
mediawiki_1.12.0-2lenny3_all.deb
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <to...@rastageeks.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 07 Feb 2009 19:57:08 +0100
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.12.0-2lenny3
Distribution: testing-security
Urgency: high
Maintainer: Mediawiki Maintenance Team 
<pkg-mediawiki-de...@lists.alioth.debian.org>
Changed-By: Romain Beauxis <to...@rastageeks.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 514547
Changes: 
 mediawiki (1:1.12.0-2lenny3) testing-security; urgency=high
 .
   * Security upload.
   * Applied changes from 1.12.4:
   "A number of cross-site scripting (XSS) security vulnerabilities were
    discovered in the web-based installer (config/index.php). These
    vulnerabilities all require a live installer -- once the installer
    has been used to install a wiki, it is deactivated."
   Closes: #514547
Checksums-Sha1: 
 fa13f17dd43db8b000807b5317680b5b866860ab 1548 mediawiki_1.12.0-2lenny3.dsc
 a36fb95d31ceb2c28efc1304f52bfc77b7a4149a 59173 mediawiki_1.12.0-2lenny3.diff.gz
 345944c1b415da46ad37a66a22cc811c7c0a1c8a 7230344 
mediawiki_1.12.0-2lenny3_all.deb
 bdfa723783c0a7821f950407accaee2d3d6153af 156638 
mediawiki-math_1.12.0-2lenny3_amd64.deb
Checksums-Sha256: 
 bb3129fd2d23333be15c2a8ab9518043d67e7c7a27a03bf969f7e5c926f69d38 1548 
mediawiki_1.12.0-2lenny3.dsc
 6136f794fe98a05d0f8a54240f7ec82e0301942a25643d3cdf2ee3622a4d1abc 59173 
mediawiki_1.12.0-2lenny3.diff.gz
 0af5630872bde9552efe20492ad6dfb54b71a2862d13bcb6fc7d455745d7a73a 7230344 
mediawiki_1.12.0-2lenny3_all.deb
 4f06d71668ad4ead9e8e46c4f67dbd774b3ab66fa52708b316fe7612a4b45306 156638 
mediawiki-math_1.12.0-2lenny3_amd64.deb
Files: 
 0fc45beff77838bc37f55481920fbedd 1548 web optional mediawiki_1.12.0-2lenny3.dsc
 f061f123bf6736f00a5479661115ea5f 59173 web optional 
mediawiki_1.12.0-2lenny3.diff.gz
 bdea52dfc527f9b4c51afe9ba62ff6e9 7230344 web optional 
mediawiki_1.12.0-2lenny3_all.deb
 bbc4998f3fbc00768e22f642858b9c88 156638 web optional 
mediawiki-math_1.12.0-2lenny3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJkxCOAAoJEAC5aaocqV0ZwnkH/j0u0mzqyyS7anINa3pgKYtZ
6CLXCHpS6VmdMHejUIuhK8Crx6hT6XqkZqLidBHFRevTVFcirqLqUCTOPgr8pzrB
T4BWOLwisejjHa9ciTC5G+NzbiZPDqVTwcL3aOIqPoXy8tWQnNUioTzZx0OhyvwT
06GmFH4JP3KSjHdCYASWr9aLClB5bUXXpPXvd3QmV4nOYMuiVpizwCh91H5KjIdH
PlslWkyps0jDaxgyPtyVDeRUuNCQAMsXl29MN7JleUpsBmLt3SzJrfWID+c8QCEk
N9eILOYfqlef6Pd+qtjMeMR8LHUcrfPJCP7LzsA5/JhlK+TK9mlX3AjfPltw83E=
=EEkV
-----END PGP SIGNATURE-----

--- End Message ---