Accepted mediawiki 1:1.19.14+dfsg-0+deb7u1 (source all)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Fri, 28 Mar 2014 10:36:48 +0100
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.14+dfsg-0+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description:
mediawiki - website engine for collaborative work
Closes: 706601 716884 719208 729629 742857
Changes:
mediawiki (1:1.19.14+dfsg-0+deb7u1) wheezy-security; urgency=high
.
* New upstream security fix release (Closes: #742857):
- (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword
- (bug 62467) Set a title for the context during import on the cli
- (bug 61362) Don't find links in the middle of api.php links
- (bug 60771) disallow iframe and unusual namespaces in SVG
- (bug 61346) make token comparison use constant time
* Fix bugs (file permissions; superfluous COPYING files) lintian
pointed out (backported from sid)
* Backport debian/rules get-orig-source-*, debian/upstream/signing-key.asc
and debian/watch changes from sid, to prepare for sid (or experimental)
switching to MediaWiki 1.23 (in which case further updates for stable
will need to be made using this SVN branch)
.
mediawiki (1:1.19.11+dfsg-0+deb7u1) wheezy-security; urgency=high
.
[ Thorsten Glaser ]
* New upstream security fix release (Closes: #729629, #706601):
- CVE-2014-1610 (bug 60339) remote code exec in Djvu thumbnailer
- CVE-2013-4568 (bug 58088) Don't normalize U+FF3C to \ in CSS Checks
- CVE-2013-6452 (bug 57550) Disallow stylesheets in SVG Uploads
- CVE-2013-6453 (bug 58553) Return error on invalid XML for SVG Uploads
- CVE-2013-6454 (bug 58472) Disallow -o-link in styles
- CVE-2013-6472 (bug 58699) Fix RevDel log entry information leaks
- CVE-2013-4572 (bug 53032) Don't cache when a call could autocreate
- CVE-2013-4567 (bug 55332) Vertical tab allows bypassing filters
- CVE-2013-4568 (bug 55332) "expression" filtering in IE6 bypass
- SVG script filtering could be bypassed for Chrome and Firefox
clients by using an encoding that MediaWiki understood, but these
browsers interpreted as UTF-8. (CVE-2013-2031)
- Internal review discovered that extensions were not given the
opportunity to disable a password reset, which could lead to
circumvention of two-factor authentication (CVE-2013-2032)
- (and others)
* Replace trademarked image files by self-drawn Free ones
* Secure the default images directory (Closes: #716884)
* Handle /var/lib/mediawiki/extensions/* always as symlinks, for
both core and extra extensions, with upgrade path (Closes: #719208)
* Ship files in /etc/mediawiki-extensions/extensions-available/
for extensions shipped with the mediawiki core
* Change watch file to track upstream LTS version
* debian/control: Change VCS-* URLs (unbreak; point to stable)
* Update copyright file with things noted by Paul Tagliamonte, thanks!
* Refresh one patch to make it apply cleanly against 1.19.11
.
[ Florian Weimer ]
* Add “Replaces: mediawiki-extensions-confirmedit”
Checksums-Sha1:
c2db91f2c15e1a51bcb4d174713abde1114980f3 2188 mediawiki_1.19.14+dfsg-0+deb7u1.dsc
67861a47e0efa62acef52afa6847801d3902f686 12190640 mediawiki_1.19.14+dfsg.orig.tar.xz
e2afb0a81af2149755a8007418b4e8a58842940f 63556 mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
c6e7957555bd63dc3117991d05227862b89a88a9 17894734 mediawiki_1.19.14+dfsg-0+deb7u1_all.deb
Checksums-Sha256:
013bc9cd9aa2efcfad9cffe3e1f91778a85d546823b8badf71bbbcf3187a5ab9 2188 mediawiki_1.19.14+dfsg-0+deb7u1.dsc
01d6a757612728a753522de792187069dd9ebded0066357b0cb0fab517f38d50 12190640 mediawiki_1.19.14+dfsg.orig.tar.xz
265a8126a217faa3c5eb9b74edebbefc6479bbfa3844e793ea7f7a42729484e3 63556 mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
e0c4f8f300e441b4565eaa8b84b5d1bb9607229f856a344f88afc84b88ccb674 17894734 mediawiki_1.19.14+dfsg-0+deb7u1_all.deb
Files:
c1ce7dbe37b2336b3713f4f3a9512a35 2188 web optional mediawiki_1.19.14+dfsg-0+deb7u1.dsc
100c399d3701f16e718c42db502d18da 12190640 web optional mediawiki_1.19.14+dfsg.orig.tar.xz
4d7e77999d9f7f0442cf4cec14ed7a48 63556 web optional mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
7519221851db2c899d3854fe287d6258 17894734 web optional mediawiki_1.19.14+dfsg-0+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
iQIcBAEBCQAGBQJTNYT7AAoJEHa1NLLpkAfgIEoQAIQnqBPztnuRv4pBbaKKPm9c
eSRCBvpqlltc5aIfaDPTbCiJ5xiHbg8ZFAWYS3/GWTMwD76z+Vz9gWIuHfD7GoyW
7iMGUazfwUty5dn5ogIeq+txFHZJMgY9UbzP9/VNslV04GOx8S3mkwUqjCou4zHS
bO7VOJSl1u9AZ28SiTomTvS3C+yaMpp97bIJvJXOh+H97P0rNlGHx3k/l1wom5hh
bTcKOUTIHccI0YgDL/n0VB61nI0yBD/UvrabJnvtnxWN03l4as0iQt0SUaVD0mWh
jrFRjyTd1soZAcHQP66JhRafh3cFd7zk3Mn1m3G2A96GGV6hbDcXYmWm5yhc1Gy6
UoMMLormzR5FoNccn/viqWZL/jpQVrn4pjexuvcIKl59AOq5LXyCA4Zbaab+C3VC
Qr578eFKAuidbI6bTX2GQp8ov4ZoE3v0G5IR9G0pbhwxlZ/pFESOSw8DZFSGjNqb
5Oo0shRBClOIV5EWIszN8rQcI5tuBfEeDPR/iFs6I2XCaR1rfpa/jI3moMU+SDnT
wyVHCjw1fPvlRbNi84Th4lu2heyrtxUDjMLkCX+RgHfDPuFQP0vy93ZB0YMraM9s
pd8oi9tjP0u4uQGi1cv9BI8ts3ZafKaPMQeZv7XhP8JdXqWk3B66UtaiNwjBj14E
CJ30i7wDGCSgVQFzOUSR
=mJnl
-----END PGP SIGNATURE-----