[ubuntu/hardy-security] mediawiki_1.11.2-2ubuntu0.5_powerpc_translations.tar.gz, mediawiki_1.11.2-2ubuntu0.5_i386_translations.tar.gz, mediawiki_1.11.2-2ubuntu0.5_hppa_translations.tar.gz, mediawiki_1.11.2-2ubuntu0.5_sparc_translations.tar.gz (delayed), mediawiki, mediawiki_1.11.2-2ubuntu0.5_amd64_translations.tar.gz, mediawiki_1.11.2-2ubuntu0.5_ia64_translations.tar.gz, mediawiki_1.11.2-2ubuntu0.5_lpia_translations.tar.gz 1:1.11.2-2ubuntu0.5 (Accepted)

Thu Apr 8 21:04:05 BST 2010

mediawiki (1:1.11.2-2ubuntu0.5) hardy-security; urgency=low

  * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
    attacker who controls a user account on the target wiki can force the
    victim to login as the attacker, via a script on an external website.
    IMPORTANT: Fix includes a breaking change to the API login action. Any
    clients using it will need to be updated. (LP: #557159)
    - debian/patches/CSRF-no-CVE_rev-64680.patch
    - patch based on upstream SVN rev. 64680
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
    - CVE-2010-1150

Date: Wed, 07 Apr 2010 12:08:55 +0200
Changed-By: Andreas Wenning <awen at awen.dk>
Maintainer: Ubuntu MOTU Developers <ubuntu-motu at lists.ubuntu.com>
https://launchpad.net/ubuntu/hardy/+source/mediawiki/1:1.11.2-2ubuntu0.5
-------------- next part --------------
Format: 1.7
Date: Wed, 07 Apr 2010 12:08:55 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source
Version: 1:1.11.2-2ubuntu0.5
Distribution: hardy-security
Urgency: low
Maintainer: Ubuntu MOTU Developers <ubuntu-motu at lists.ubuntu.com>
Changed-By: Andreas Wenning <awen at awen.dk>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Launchpad-Bugs-Fixed: 557159
Changes: 
 mediawiki (1:1.11.2-2ubuntu0.5) hardy-security; urgency=low
 .
   * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
     attacker who controls a user account on the target wiki can force the
     victim to login as the attacker, via a script on an external website.
     IMPORTANT: Fix includes a breaking change to the API login action. Any
     clients using it will need to be updated. (LP: #557159)
     - debian/patches/CSRF-no-CVE_rev-64680.patch
     - patch based on upstream SVN rev. 64680
     - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
     - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
     - CVE-2010-1150
Files: 
 9b8cfbdb92ffb8e9ddf3cea5e82deacf 934 web optional mediawiki_1.11.2-2ubuntu0.5.dsc
 c9d2aee35edbf2c7f52a791f6c1e7220 62667 web optional mediawiki_1.11.2-2ubuntu0.5.diff.gz
Original-Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel at lists.alioth.debian.org>