Ubuntu
mediawiki package

lp://staging/ubuntu/intrepid-security/mediawiki

  1. Intrepid (8.10)
  2. intrepid-security
Created by James Westby and last modified
Get this branch:
bzr branch lp://staging/ubuntu/intrepid-security/mediawiki
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

19. By Andreas Wenning

* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
  attacker who controls a user account on the target wiki can force the
  victim to login as the attacker, via a script on an external website.
  IMPORTANT: Fix includes a breaking change to the API login action. Any
  clients using it will need to be updated. (LP: #557159)
  - debian/patches/CSRF-no-CVE_rev-64680.patch
  - patch based on upstream SVN rev. 64680
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
  - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
  - CVE-2010-1150

18. By Andreas Wenning

* SECURITY UPDATE: CSS validation issue allowing external images to be included
  into wikis where that is disallowed by conf. (LP: #537974)
  - debian/patches/CSS-no-CVE_rev-63429.patch
  - patch based on upstream SVN rev. 63429
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
* Fix regression in CVE-2009-0737.patch, where the database-specific options
  will not be shown by default when installing mediawiki. (LP: #539697)

17. By Andreas Wenning

* SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
  the web-based installer (config/index.php). (LP: #348858)
  - CVE-2009-0737
  - debian/patches/CVE-2009-0737.patch
  - patch taken directly from Debian
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html

16. By Andreas Wenning

* SECURITY UPDATE:
  - CVE-2008-5249
  - CVE-2008-5250
  - CVE-2008-5252
  - other security-related problems (see full patch description).
  - patch taken directly from Debian
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508870
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508869
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
* debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
  - Fixed output escaping for reporting of non-MediaWiki exceptions.
    Potential XSS if an extension throws one of these with user input.
  - Avoid fatal error in profileinfo.php when not configured.
  - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
    transwiki import feature.
  - Add a .htaccess to deleted images directory for additional protection
    against exposure of deleted files with known SHA-1 hashes on default
    installations.
  - Fixed XSS vulnerability for Internet Explorer clients, via file uploads
    which are interpreted by IE as HTML.
  - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
    uploads are enabled. Firefox 1.5+ is affected.
  - Avoid streaming uploaded files to the user via index.php. This allows
    security-conscious users to serve uploaded files via a different domain,
    and thus client-side scripts executed from that domain cannot access the
    login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
  - When streaming files via index.php, use the MIME type detected from the
    file extension, not from the data. This reduces the XSS attack surface.
  - Blacklist redirects via Special:Filepath. Such redirects exacerbate any
    XSS vulnerabilities involving uploads of files containing scripts.

15. By Iain Lane

* SECURITY UPDATE:
   Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
   and possibly other versions before 1.13.2 allows remote attackers
   to inject arbitrary web script or HTML via the useskin parameter
   to an unspecified component. (LP: #290015)
   - debian/patches/CVE-2008-4408.patch: Address XSS vulnerability. Based on
     upstream/Debian patch.
   - CVE-2008-4408
   - http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=41540
   - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501115

14. By Romain Beauxis

* Fixed postgresql dependency
Closes: #472987
* Added instructions to install and upgrade
Closes: #472990, #472831

13. By Romain Beauxis

* Added patch to fix pgsql select, thanks to Marc Dequènes
Closes: #469841
* Upated README.Debian to mention php5-gd instead of php5-gd2
and texlive-latex-base instead to tetex-bin.
Closes: #469558
* still setting urgency to high since previous upload didn't make it
to testing.

12. By Romain Beauxis

* New upstream release
* A potential XSS injection vector affecting
  Microsoft Internet Explorer users has been
  closed.

11. By Romain Beauxis

Initial upload of 1.11.0 to unstable

10. By Romain Beauxis

* Switched to mediawiki1.10
* Mediawiki1.10 recommends mediawiki-math (Closes: #428021)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/karmic/mediawiki
This branch contains Public information 
Everyone can see this information.

Subscribers