Public bug reported:
Please sync mediawiki 1:1.15.4-1 (universe) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
The Ubuntu package simply contains the upstream security fixes as included in
the 1.15.2/3/4 package.
Changelog entries since current maverick version 1:1.15.1-1ubuntu3:
mediawiki (1:1.15.4-1) unstable; urgency=high
[ Jonathan Wiltshire ]
* New upstream security release (closes: #585918).
* CVE-2010-1647:
Fix a cross-site scripting (XSS) vulnerability which allows
remote attackers to inject arbitrary web script or HTML via crafted
Cascading Style Sheets (CSS) strings that are processed as script by
Internet Explorer.
* CVE-2010-1648:
Fix a cross-site request forgery (CSRF) vulnerability in the login interface
which allows remote attackers to hijack the authentication of users for
requests that (1) create accounts or (2) reset passwords, related to the
Special:Userlogin form.
[ Romain Beauxis ]
* Put debian's package version in declared version.
Should help sysadmins to keep track of installed
versions, in particular with regard to security
updates.
* Added Jonathan Wiltshire to uploaders.
* Do not clan math dir if it does not exist (for instance
when running clean from SVN).
-- Romain Beauxis <to...@rastageeks.org> Mon, 21 Jun 2010 23:41:29
+0200
mediawiki (1:1.15.3-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password."
-- Romain Beauxis <to...@rastageeks.org> Fri, 16 Apr 2010 14:44:09
-0500
mediawiki (1:1.15.2-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected."
* Updated standards.
* Removed section about upgrading from mediawiki1.x packages
in README.Debian since they do not exist in any supported distribution
anymore.
* Switched php5-gd and imagemagick in Suggests. Closes: #542008
* Backported patch from revision 51083 to fix a bug with invalid titles.
Closes: #537134
* Backported patch from revision 61090 to add a unique guid per RSS
feed element.
Closes: #383130
* Refreshed patches.
-- Romain Beauxis <to...@rastageeks.org> Mon, 15 Mar 2010 11:41:07
-0500
** Affects: mediawiki (Ubuntu)
Importance: Wishlist
Status: Confirmed
** Changed in: mediawiki (Ubuntu)
Importance: Undecided => Wishlist
** Changed in: mediawiki (Ubuntu)
Status: New => Confirmed
--
Sync mediawiki 1:1.15.4-1 (universe) from Debian unstable (main)
https://bugs.launchpad.net/bugs/597220
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
