[ubuntu/maverick] mediawiki 1:1.15.4-1 (Accepted)

Ubuntu Installer archive at ubuntu.com
Tue Jun 22 18:10:26 BST 2010 

mediawiki (1:1.15.4-1) unstable; urgency=high

  [ Jonathan Wiltshire ]
  * New upstream security release (closes: #585918).
  * CVE-2010-1647:
    Fix a cross-site scripting (XSS) vulnerability which allows
    remote attackers to inject arbitrary web script or HTML via crafted
    Cascading Style Sheets (CSS) strings that are processed as script by
    Internet Explorer.
  * CVE-2010-1648:
    Fix a cross-site request forgery (CSRF) vulnerability in the login interface
    which allows remote attackers to hijack the authentication of users for
    requests that (1) create accounts or (2) reset passwords, related to the
    Special:Userlogin form.

  [ Romain Beauxis ]
  * Put debian's package version in declared version.
    Should help sysadmins to keep track of installed 
    versions, in particular with regard to security
    updates. 
  * Added Jonathan Wiltshire to uploaders.
  * Do not clan math dir if it does not exist (for instance
    when running clean from SVN).

mediawiki (1:1.15.3-1) unstable; urgency=high

  * New upstream release.
  * Fixes security issue:
  "MediaWiki was found to be vulnerable to login CSRF. An attacker who
   controls a user account on the target wiki can force the victim to log
   in as the attacker, via a script on an external website. If the wiki is
   configured to allow user scripts, say with "$wgAllowUserJs = true" in
   LocalSettings.php, then the attacker can proceed to mount a
  phishing-style attack against the victim to obtain their password."

mediawiki (1:1.15.2-1) unstable; urgency=high

  * New upstream release.
  * Fixes security issue:
  "Two security issues were discovered:

   A CSS validation issue was discovered which allows editors to display
   external images in wiki pages. This is a privacy concern on public
   wikis, since a malicious user may link to an image on a server they
   control, which would allow that attacker to gather IP addresses and
   other information from users of the public wiki. All sites running
   publicly-editable MediaWiki installations are advised to upgrade. All
   versions of MediaWiki (prior to this one) are affected.

   A data leakage vulnerability was discovered in thumb.php which affects
   wikis which restrict access to private files using img_auth.php, or
   some similar scheme. All versions of MediaWiki since 1.5 are affected."
  * Updated standards.
  * Removed section about upgrading from mediawiki1.x packages
    in README.Debian since they do not exist in any supported distribution
    anymore.
  * Switched php5-gd and imagemagick in Suggests. Closes: #542008
  * Backported patch from revision 51083 to fix a bug with invalid titles.
  Closes: #537134
  * Backported patch from revision 61090 to add a unique guid per RSS
    feed element.
  Closes: #383130
  * Refreshed patches. 

Date: Tue,  22 Jun 2010 17:58:17 +0100
Changed-By: Andreas Wenning <awen at awen.dk>
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel at lists.alioth.debian.org>
Origin: Debian/unstable
https://launchpad.net/ubuntu/maverick/+source/mediawiki/1:1.15.4-1
-------------- next part --------------
Origin: Debian/unstable
Format: 1.7
Date: Tue,  22 Jun 2010 17:58:17 +0100
Source: mediawiki
Binary: mediawiki, mediawiki-math
Architecture: source
Version: 1:1.15.4-1
Distribution: maverick
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel at lists.alioth.debian.org>
Changed-By: Andreas Wenning <awen at awen.dk>
Description: 
 mediawiki  - website engine for collaborative work
Closes: 383130 537134 542008 585918
Changes: 
 mediawiki (1:1.15.4-1) unstable; urgency=high
 .
   [ Jonathan Wiltshire ]
   * New upstream security release (closes: #585918).
   * CVE-2010-1647:
     Fix a cross-site scripting (XSS) vulnerability which allows
     remote attackers to inject arbitrary web script or HTML via crafted
     Cascading Style Sheets (CSS) strings that are processed as script by
     Internet Explorer.
   * CVE-2010-1648:
     Fix a cross-site request forgery (CSRF) vulnerability in the login interface
     which allows remote attackers to hijack the authentication of users for
     requests that (1) create accounts or (2) reset passwords, related to the
     Special:Userlogin form.
 .
   [ Romain Beauxis ]
   * Put debian's package version in declared version.
     Should help sysadmins to keep track of installed 
     versions, in particular with regard to security
     updates. 
   * Added Jonathan Wiltshire to uploaders.
   * Do not clan math dir if it does not exist (for instance
     when running clean from SVN).
 .
 mediawiki (1:1.15.3-1) unstable; urgency=high
 .
   * New upstream release.
   * Fixes security issue:
   "MediaWiki was found to be vulnerable to login CSRF. An attacker who
    controls a user account on the target wiki can force the victim to log
    in as the attacker, via a script on an external website. If the wiki is
    configured to allow user scripts, say with "$wgAllowUserJs = true" in
    LocalSettings.php, then the attacker can proceed to mount a
   phishing-style attack against the victim to obtain their password."
 .
 mediawiki (1:1.15.2-1) unstable; urgency=high
 .
   * New upstream release.
   * Fixes security issue:
   "Two security issues were discovered:
 .
    A CSS validation issue was discovered which allows editors to display
    external images in wiki pages. This is a privacy concern on public
    wikis, since a malicious user may link to an image on a server they
    control, which would allow that attacker to gather IP addresses and
    other information from users of the public wiki. All sites running
    publicly-editable MediaWiki installations are advised to upgrade. All
    versions of MediaWiki (prior to this one) are affected.
 .
    A data leakage vulnerability was discovered in thumb.php which affects
    wikis which restrict access to private files using img_auth.php, or
    some similar scheme. All versions of MediaWiki since 1.5 are affected."
   * Updated standards.
   * Removed section about upgrading from mediawiki1.x packages
     in README.Debian since they do not exist in any supported distribution
     anymore.
   * Switched php5-gd and imagemagick in Suggests. Closes: #542008
   * Backported patch from revision 51083 to fix a bug with invalid titles.
   Closes: #537134
   * Backported patch from revision 61090 to add a unique guid per RSS
     feed element.
   Closes: #383130
   * Refreshed patches. 
Files: 
 9c37dee8addc27b2051ee2eebc238b4d 11531488 web optional mediawiki_1.15.4.orig.tar.gz
 82f80cee9c3d12a2abf3b9d2c697b04c 31335 web optional mediawiki_1.15.4-1.diff.gz
 fd667b39e8099fb2494edc2fa89e2c9c 1575 web optional mediawiki_1.15.4-1.dsc

More information about the Maverick-changes mailing list