Package: release.debian.org Severity: important User: release.debian....@packages.debian.org Usertags: pu
(severity important because of the regression) Testing has shown that the fix for CVE-2011-4360 introduces a regression: in some situations, an error is returned instead of a login prompt. Moreover, the Debian package seems not to disclose information as described by the CVE. For this reason I would like to get a fix into this point release rather than waiting for the next. I realise the window technically closes this weekend and I'm sorry for the late notice. Debdiff attached, it's a one line change that just disables the patch in the quilt series file. Thanks -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
diff -Nru mediawiki-1.15.5/debian/changelog mediawiki-1.15.5/debian/changelog --- mediawiki-1.15.5/debian/changelog 2012-01-13 10:55:12.000000000 +0000 +++ mediawiki-1.15.5/debian/changelog 2012-01-21 21:08:01.000000000 +0000 @@ -1,3 +1,10 @@ +mediawiki (1:1.15.5-2squeeze4) stable; urgency=low + + * Disable CVE-2011-4360.patch, it causes ugly error messages in certain + situations. The CVE does not apply to this release. + + -- Jonathan Wiltshire <j...@debian.org> Sat, 21 Jan 2012 20:59:36 +0000 + mediawiki (1:1.15.5-2squeeze3) stable; urgency=low * debian/patches/CVE-2012-0046.patch: security fix for unintended exposure diff -Nru mediawiki-1.15.5/debian/patches/series mediawiki-1.15.5/debian/patches/series --- mediawiki-1.15.5/debian/patches/series 2012-01-13 10:12:04.000000000 +0000 +++ mediawiki-1.15.5/debian/patches/series 2012-01-21 20:57:43.000000000 +0000 @@ -11,6 +11,5 @@ CVE-2011-1579.patch CVE-2011-1580.patch CVE-2011-1587.patch -CVE-2011-4360.patch CVE-2011-4361.patch CVE-2012-0046.patch
