Back to mediawiki PTS page

Accepted mediawiki 1:1.12.0-2lenny2 (source all amd64)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Jan 2009 11:54:02 +0100
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.12.0-2lenny2
Distribution: testing-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 508869 508870
Changes: 
 mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high
 .
   * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252
   * debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
     - Fixed output escaping for reporting of non-MediaWiki exceptions.
       Potential XSS if an extension throws one of these with user input.
     - Avoid fatal error in profileinfo.php when not configured.
     - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
       transwiki import feature.
     - Add a .htaccess to deleted images directory for additional protection
       against exposure of deleted files with known SHA-1 hashes on default
       installations.
     - Fixed XSS vulnerability for Internet Explorer clients, via file uploads
       which are interpreted by IE as HTML.
     - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
       uploads are enabled. Firefox 1.5+ is affected.
     - Avoid streaming uploaded files to the user via index.php. This allows
       security-conscious users to serve uploaded files via a different domain,
       and thus client-side scripts executed from that domain cannot access the
       login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
     - When streaming files via index.php, use the MIME type detected from the
       file extension, not from the data. This reduces the XSS attack surface.
     - Blacklist redirects via Special:Filepath. Such redirects exacerbate any
       XSS vulnerabilities involving uploads of files containing scripts.
   Closes: #508869, #508870
Checksums-Sha1: 
 512bf6e8fca53d500bf05830f63f56c8d294f50c 1256 mediawiki_1.12.0-2lenny2.dsc
 e88ac10275b63597d0f458d410bacebfb4e4011c 44723 mediawiki_1.12.0-2lenny2.diff.gz
 001451c718bd81e0919f22629cb576c070cc84a7 7221734 mediawiki_1.12.0-2lenny2_all.deb
 1b548cb4268b1a40a6450d9eb2872a693defbd97 156542 mediawiki-math_1.12.0-2lenny2_amd64.deb
Checksums-Sha256: 
 ebbb4e60c1a3e9a654497e8d4e52ebdbac798db2bc9bd6203a5f3cd5e7db52eb 1256 mediawiki_1.12.0-2lenny2.dsc
 ead873972b16a61e4ed3bf8a3f2a91322322b8ac0215ad5e1ba79e92690c4b9a 44723 mediawiki_1.12.0-2lenny2.diff.gz
 af01d0399306308938d8d3b02bc193d4544e56f92db5f60dec11b51c472a3211 7221734 mediawiki_1.12.0-2lenny2_all.deb
 6b833ad770dae6f5bd05fcfd3ad36d6aa721decae8b09a6a26fb4d42d07d305e 156542 mediawiki-math_1.12.0-2lenny2_amd64.deb
Files: 
 591bf4d91a70412b0d39eec68db0d54b 1256 web optional mediawiki_1.12.0-2lenny2.dsc
 e6458248327c0bba19c8424eae912d13 44723 web optional mediawiki_1.12.0-2lenny2.diff.gz
 b0870767c2a8e11928f1064eb17bef43 7221734 web optional mediawiki_1.12.0-2lenny2_all.deb
 6cbeb87e190429648e95cadb0fcc0b40 156542 web optional mediawiki-math_1.12.0-2lenny2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl8UzwACgkQHYflSXNkfP/dKwCdHTXstaOGpEedqa836BfUxKFS
vFYAni3GafeEy8gPtsa/adkMir9yaKu1
=O3Hj
-----END PGP SIGNATURE-----


Accepted:
mediawiki-math_1.12.0-2lenny2_amd64.deb
  to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny2_amd64.deb
mediawiki_1.12.0-2lenny2.diff.gz
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2.diff.gz
mediawiki_1.12.0-2lenny2.dsc
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2.dsc
mediawiki_1.12.0-2lenny2_all.deb
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2_all.deb