Your message dated Thu, 18 Dec 2008 02:02:05 +0000 with message-id <e1ld8df-0000g7...@ries.debian.org> and subject line Bug#508869: fixed in mediawiki 1:1.13.3-1 has caused the Debian Bug report #508869, regarding CVE-2008-5250: several local script injection vulnerabilities in MediaWiki to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 508869: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508869 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mediawiki Version: 1:1.7 Severity: grave Tags: security patch Hi, The following CVE (Common Vulnerabilities & Exposures) id was published for mediawiki. [0]: > * A local script injection vulnerability affecting Internet Explorer > clients for all MediaWiki installations with uploads enabled. > [CVE-2008-5250] > * A local script injection vulnerability affecting clients with SVG > scripting capability (such as Firefox 1.5+), for all MediaWiki > installations with SVG uploads enabled. [CVE-2008-5250] A patch fixing this and other issues can be found at [0]. If you fix the vulnerability please also make sure to include the CVE id in the changelog entry. [0]http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5250 http://security-tracker.debian.net/tracker/CVE-2008-5250 Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.netsignature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: mediawiki Source-Version: 1:1.13.3-1 We believe that the bug you reported is fixed in the latest version of mediawiki, which is due to be installed in the Debian FTP archive: mediawiki-math_1.13.3-1_amd64.deb to pool/main/m/mediawiki/mediawiki-math_1.13.3-1_amd64.deb mediawiki_1.13.3-1.diff.gz to pool/main/m/mediawiki/mediawiki_1.13.3-1.diff.gz mediawiki_1.13.3-1.dsc to pool/main/m/mediawiki/mediawiki_1.13.3-1.dsc mediawiki_1.13.3-1_all.deb to pool/main/m/mediawiki/mediawiki_1.13.3-1_all.deb mediawiki_1.13.3.orig.tar.gz to pool/main/m/mediawiki/mediawiki_1.13.3.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 508...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Beauxis <to...@rastageeks.org> (supplier of updated mediawiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 18 Dec 2008 02:37:58 +0100 Source: mediawiki Binary: mediawiki mediawiki-math Architecture: source all amd64 Version: 1:1.13.3-1 Distribution: unstable Urgency: low Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-de...@lists.alioth.debian.org> Changed-By: Romain Beauxis <to...@rastageeks.org> Description: mediawiki - website engine for collaborative work mediawiki-math - math rendering plugin for MediaWiki Closes: 508868 508869 508870 Changes: mediawiki (1:1.13.3-1) unstable; urgency=low . * New upstream release. * Fix CVE-2008-5249: XSS vulnerability in MediaWiki: "An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and 1.13.2." Closes: #508868 * Fix CVE-2008-5250: several local script injection vulnerabilities in MediaWiki: "o A local script injection vulnerability affecting Internet Explorer clients for all MediaWiki installations with uploads enabled. o A local script injection vulnerability affecting clients with SVG scripting capability (such as Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled." Closes: #508869 * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import feature in MediaWiki: "A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki installations since the feature was introduced in 1.3.0." Closes: #508870 Checksums-Sha1: 3e135baf85c04b975023211c0f377bdf7709a337 1524 mediawiki_1.13.3-1.dsc e6b19d170629c8657742236b9f827a6df0350efd 9252548 mediawiki_1.13.3.orig.tar.gz 774702edccd95d4359e733338c6bd80902fdfd77 29264 mediawiki_1.13.3-1.diff.gz 324c06f073e2f7c85c20ab05ec0eb260cd2e0e98 9232080 mediawiki_1.13.3-1_all.deb 1454f6a20f320ff82a436dae4a2d04e2d143048b 156108 mediawiki-math_1.13.3-1_amd64.deb Checksums-Sha256: f0774ca4cdb7829756e66386c90f3400b8454741ceace122c67893fdd2eb07f4 1524 mediawiki_1.13.3-1.dsc da6962de7156def500ff926060d1d3d1db93ab94ee97620ca5ab8e444035a244 9252548 mediawiki_1.13.3.orig.tar.gz 0028de6fc2e5085549a8467b997d6fa73cd72ea8ea651e8d9e6a54419992d39c 29264 mediawiki_1.13.3-1.diff.gz 60fedf1897142f4ebf44ed1a679a9897f01262302321538c0197c539b8034401 9232080 mediawiki_1.13.3-1_all.deb a99fd89945b28dc66db35cf7179f77ceb3a52949640e1e0d4ce2d5fc5192b478 156108 mediawiki-math_1.13.3-1_amd64.deb Files: 5216b3c299a168a1d941d0cd61adfc45 1524 web optional mediawiki_1.13.3-1.dsc 01ecf3492ea92cea62da0a9381dc53e3 9252548 web optional mediawiki_1.13.3.orig.tar.gz eafc8c21576f059cedd3f9c1a084f673 29264 web optional mediawiki_1.13.3-1.diff.gz 2eda5f5c42ea32c1a8ad1607db07b1b3 9232080 web optional mediawiki_1.13.3-1_all.deb a8f08c9efdea29d3c08c2bb4806b07db 156108 web optional mediawiki-math_1.13.3-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJJSa0nAAoJEAC5aaocqV0Z7BcH/RQxTHk3QpC7SqOoCPCHdvNJ D0LWdpOakbltNcGwbSR+yg//WFv0gfp28mGoVe639E5F1BIiBapmHpui3eb5rmpQ SVZVcXlZpXuY2hdxmg15aOxql3D2HbUJ/q1OjK4Vasehg2Xzkw6NAwCXq4jJC94O P8bC1PeIZcMG1Nk4+iTbR1hVuDMr7/Kzd6Q+oyuPaOh4VuIEF8glHAWgswqVlxLH a2WyzF+73QWtl4YqidqDoDDivt2NVH7FqweyhdysVC0vIDBCknwtrVGX8KL0cu/u hAJ00GASELZouT3jOWlSyXshQ+c+ubt8xgtPmKfOsUg3z1H6mL+K1VyZOy+G2oE= =5IZk -----END PGP SIGNATURE-----
--- End Message ---