Your message dated Wed, 28 Jul 2010 13:47:17 +0000
with message-id <[email protected]>
and subject line Bug#590660: fixed in mediawiki 1:1.15.5-1
has caused the Debian Bug report #590660,
regarding mediawiki: Private data leakage in MW >= 1.8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
590660: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590660
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mediawiki
Version: 1:1.12.0-2lenny5
Severity: grave
Tags: security upstream
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- From
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html:
A data leakage vulnerability was discovered, affecting MediaWiki 1.8
and later. Public caching headers were incorrectly set on API
responses containing private data. By means of a CSRF-style attack,
this can lead to the disclosure of various types of private data
stored on a wiki. All users are advised to upgrade.
- -- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages mediawiki depends on:
ii apache2 2.2.16-1 Apache HTTP Server metapackage
ii apache2-mpm-prefork [httpd] 2.2.16-1 Apache HTTP Server - traditional n
ii debconf [debconf-2.0] 1.5.33 Debian configuration management sy
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii php5 5.3.2-2 server-side, HTML-embedded scripti
ii php5-mysql 5.3.2-2 MySQL module for php5
ii php5-pgsql 5.3.2-2 PostgreSQL module for php5
Versions of packages mediawiki recommends:
ii mysql-server 5.1.48-1 MySQL database server (metapackage
ii mysql-server-5.1 [mysql-serve 5.1.48-1 MySQL database server binaries and
ii php5-cli 5.3.2-2 command-line interpreter for the p
Versions of packages mediawiki suggests:
ii clamav 0.96.1+dfsg-3 anti-virus utility for Unix - comm
ii imagemagick 7:6.6.2.6-1 image manipulation programs
pn mediawiki-math <none> (no description available)
pn memcached <none> (no description available)
ii php5-gd 5.3.2-2 GD module for php5
- -- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJMT+c6AAoJEFOUR53TUkxRll0QAJxjjAQv/S4233W8cQh+lRbd
w9ybix7gW9ZzyXNTgfGPMpmlzZakxCUX4/hmH6K5xTUFOJgxyULm8n5wiRqQZc5n
kKcNzhk3zyM7Nyo9PiGL6QS1g1jOCVTjTktzjLUwLS4J7B1Kx3GzfncmBDsCyl5d
L4EZd6NqMYLUECrDwYgnWXdmEtL1Z77GiNdNPPgFS1Xy+mJ1B3BZa7fs7pYeJXPg
qkg0+WFYaGk0fuTsAgOWd1mLLQqRZe2N+26hZHsp6O+1FjS4Nsn1o/WJ16AS2hrB
uM/A1C4J2WiVEGrrIyNq5ZizSCI0WVU4bW49qF7pdVRY9BhAGQBM428G7evOJoyt
80Uk2Qj48zOnKJ3oUBKaiOWyXMv+yVQAQfpb6kGOsXKeA8MoGZ69D/g+zL+R8R/X
l4Yq4oNmh+8VvklvJOw33oyI/kKCgfgbxsZRXcUzhBpEx0WNxTXWj3K+agj8tLoy
nRYxp2Y8n2vKczXka9oXjEaACb/SjKtliMJRF44jiKBxmjWGOsKplRpGdSks5hTQ
2tIjJzv3eoiU4zkOIkMYGmc1XeiW/MkSZjG2D5NauP7QpXjDW0Uiao2cw0dIcmQe
+8p+G82ureAnIxhaV/DIwF6fkuD/H3Wg6jAI+Y2hkK+60TZIXP2M6RJhFUK8xIGv
TKc9Djoilcdg04sOYK9X
=UzXk
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: mediawiki
Source-Version: 1:1.15.5-1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.15.5-1_i386.deb
to main/m/mediawiki/mediawiki-math_1.15.5-1_i386.deb
mediawiki_1.15.5-1.debian.tar.gz
to main/m/mediawiki/mediawiki_1.15.5-1.debian.tar.gz
mediawiki_1.15.5-1.dsc
to main/m/mediawiki/mediawiki_1.15.5-1.dsc
mediawiki_1.15.5-1_all.deb
to main/m/mediawiki/mediawiki_1.15.5-1_all.deb
mediawiki_1.15.5.orig.tar.gz
to main/m/mediawiki/mediawiki_1.15.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <[email protected]> (supplier of updated mediawiki
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Wed, 28 Jul 2010 12:23:04 +0100
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all i386
Version: 1:1.15.5-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team
<[email protected]>
Changed-By: Jonathan Wiltshire <[email protected]>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 590660 590669
Changes:
mediawiki (1:1.15.5-1) unstable; urgency=high
.
[ Thorsten Glaser ]
* debian/patches/suppress_warnings.patch: new, suppress warnings
about session_start() being called twice also in the PHP error
log, not just MediaWiki’s, for example run from FusionForge
.
[ Jonathan Wiltshire ]
* New upstream security release:
- correctly set caching headers to prevent private data leakage
(closes: #590660, LP: #610782)
- fix XSS vulnerability in profileinfo.php
(closes: #590669, LP: #610819)
Checksums-Sha1:
f41f629197929384c50da1871d6c566ad5da2115 2049 mediawiki_1.15.5-1.dsc
b157fe37bb89c78e5ffa0f27b14beb886db3a5f4 11595008 mediawiki_1.15.5.orig.tar.gz
c02e4ae0d9959ca1ca61f0de2813ddf597ceeb04 34517 mediawiki_1.15.5-1.debian.tar.gz
28cb5025e565aa88b4796ce866cc054cd3e972d7 11715442 mediawiki_1.15.5-1_all.deb
b11a75b14e038e9c4968f4bfbedaa1af92841f3c 282130
mediawiki-math_1.15.5-1_i386.deb
Checksums-Sha256:
8472862d6c0b3e1599061c747f2b2687a26138fff76f17d82f7bf6c0b00429a1 2049
mediawiki_1.15.5-1.dsc
f838c94af81e018dcf11f77674d2a363e97b8832d0d66416294fd301db720ab5 11595008
mediawiki_1.15.5.orig.tar.gz
51ada8022e17baea0e284ee20792f8ed735e131f47bc7e2413b32778b77a45f7 34517
mediawiki_1.15.5-1.debian.tar.gz
44ae005a15e28ed52d7c2ec67682108a78db07e4ca407518127ec75dc3f77827 11715442
mediawiki_1.15.5-1_all.deb
7420dd8f3ffc10ee3f24a591aed9f59bd14e7996e2dcc90e398f2063e805ec0c 282130
mediawiki-math_1.15.5-1_i386.deb
Files:
8a86fe456ac09165080969c25572b133 2049 web optional mediawiki_1.15.5-1.dsc
01c4c85fb96991d962c8acb3d892ec2d 11595008 web optional
mediawiki_1.15.5.orig.tar.gz
c7bc284dbda0d93e073327dc73369467 34517 web optional
mediawiki_1.15.5-1.debian.tar.gz
93c3da1d795bdee8a229cf4d4163b119 11715442 web optional
mediawiki_1.15.5-1_all.deb
3bea785c5dcf9974644ab98510fd12b3 282130 web optional
mediawiki-math_1.15.5-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MirBSD)
iQIVAwUBTFAy9Xa1NLLpkAfgAQnvmQ/+Nhn4nsfXrO54kr2+atVZ5tEY5TpY4MtJ
KWPy5A9li7knK//M0jrJPDpm9wSGA2MZyBwMAWJnY1tvwvO+aN0PaRMh3FfQwQ4i
Jgj9LwwuaVKl6uIri/BHI8OUXzl8nnzTqL4ZDh4athaZI7al0pGEYLjlJ1Zr99vv
lozk0LokydmMMV4WamyjqEHKtZwHxpbyJ8YrSGD6V01O7fo3O6a61YPEuNvMG9ro
tga6AXBvFHkgPa8D24rbSoeKVWI8ZEauOorM38DgUkv8YRENl8I1IKbRNsRNRNa/
+zdeYroMTJkoMc6L+3/lRa6sgS6YxC5l691+iPB0bVwlTf73D6DzKVMq/6qQh5jG
72Sv57TNDFMw/kWRbMk8LQYDxoKo78zMG1sDOKVkKb2TognXQuRaYgpE0BB1G47l
q/7ZMzzn2s/BfpbVu/tBFzP/NX0uqnP6xpU82A5OdtelDCk3WLxnsjyI8eJXnUSe
kWDn/Qo7aRMsKXBHWoOwO5/YWhnYIXtfnc21eQGA88A5apn08v8KUan/sQpUykgZ
By2+ZyLdbcu2AsyCuemQZ3B+e71ARYPHsld5xVbJO2CGN14mEoAobCsEHtmv2d65
25KUrfL2EIqSzoMNmSwZ8xhbg9O+QUtSQHAahZ/YFGaSC5DZcJiQ9yrmnsJ+oh37
XEel2G1jq2o=
=aS4D
-----END PGP SIGNATURE-----
--- End Message ---
