Ubuntu
mediawiki package

lp://staging/ubuntu/jaunty-security/mediawiki

  1. Jaunty (9.04)
  2. jaunty-security
Created by James Westby and last modified
Get this branch:
bzr branch lp://staging/ubuntu/jaunty-security/mediawiki
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

22. By Andreas Wenning

* SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
  which restrict access to private files using eg. img_auth.php.
  - CVE-2010-1190
  - debian/patches/DataLeakage-CVE-2010-1190.patch
  - patch from upstream SVN rev. 63436
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
  - LP: #603740

21. By Andreas Wenning

* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
  interface. Although regular logins are protected as of 1.15.3, it was
  discovered that the account creation and password reset features were not
  protected from CSRF. This could lead to unauthorised access to private
  wikis. (LP: #586773)
  - debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
  - patch from upstream SVN rev. 66991
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
  - https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
  allows attackers to construct CSS strings which are treated as safe by
  previous versions of MediaWiki, but are decoded to unsafe strings by
  Internet Explorer. (LP: #586773)
  - debian/patches/XSS-IE-no-CVE_rev-66992.patch
  - patch from upstream SVN rev. 66992
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
  - https://bugzilla.wikimedia.org/show_bug.cgi?id=23687

20. By Andreas Wenning

* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
  attacker who controls a user account on the target wiki can force the
  victim to login as the attacker, via a script on an external website.
  IMPORTANT: Fix includes a breaking change to the API login action. Any
  clients using it will need to be updated. (LP: #557159)
  - debian/patches/CSRF-no-CVE_rev-64680.patch
  - patch based on upstream SVN rev. 64680
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
  - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
  - CVE-2010-1150

19. By Andreas Wenning

* SECURITY UPDATE: CSS validation issue allowing external images to be included
  into wikis where that is disallowed by conf. (LP: #537974)
  - debian/patches/CSS-no-CVE_rev-63429.patch
  - patch from upstream SVN rev. 63429
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html

18. By Andreas Wenning

* SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
  the web-based installer (config/index.php). (LP: #348858)
  - CVE-2009-0737
  - debian/patches/CVE-2009-0737.patch
  - patch based on upstream patches for 1.13.4 and 1.13.5
  - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html

17. By Thomas Bechtold

includes/mime.types: Add mimetypes for opendocument files (LP: #314220 ).

16. By Romain Beauxis

* New upstream release.
* Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
"An XSS vulnerability affecting all MediaWiki installations between
 1.13.0 and 1.13.2."
Closes: #508868
* Fix CVE-2008-5250: several local script injection vulnerabilities
  in MediaWiki:
"o A local script injection vulnerability affecting Internet Explorer
   clients for all MediaWiki installations with uploads enabled.
 o A local script injection vulnerability affecting clients with SVG
   scripting capability (such as Firefox 1.5+), for all MediaWiki
   installations with SVG uploads enabled."
Closes: #508869
* Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
  feature in MediaWiki:
"A CSRF vulnerability affecting the Special:Import feature, for all
 MediaWiki installations since the feature was introduced in 1.3.0."
Closes: #508870

15. By Romain Beauxis

* New upstream release
* Fix CVE-2008-4408: XSS in mediawiki:
  "Cross-site scripting (XSS) vulnerability allows remote attackers
   to inject arbitrary web script or HTML via the useskin parameter
   to an unspecified component."
Closes: #501115

14. By Romain Beauxis

* Fixed postgresql dependency
Closes: #472987
* Added instructions to install and upgrade
Closes: #472990, #472831

13. By Romain Beauxis

* Added patch to fix pgsql select, thanks to Marc Dequènes
Closes: #469841
* Upated README.Debian to mention php5-gd instead of php5-gd2
and texlive-latex-base instead to tetex-bin.
Closes: #469558
* still setting urgency to high since previous upload didn't make it
to testing.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/lucid/mediawiki
This branch contains Public information 
Everyone can see this information.

Subscribers