Hi, the attacked debdiff is for a proposed NMU to fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252 in lenny. (Backported from mediawiki 1.12.3)
mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252 * debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch: - Fixed output escaping for reporting of non-MediaWiki exceptions. Potential XSS if an extension throws one of these with user input. - Avoid fatal error in profileinfo.php when not configured. - Fixed CSRF vulnerability in Special:Import. Fixed input validation in transwiki import feature. - Add a .htaccess to deleted images directory for additional protection against exposure of deleted files with known SHA-1 hashes on default installations. - Fixed XSS vulnerability for Internet Explorer clients, via file uploads which are interpreted by IE as HTML. - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG uploads are enabled. Firefox 1.5+ is affected. - Avoid streaming uploaded files to the user via index.php. This allows security-conscious users to serve uploaded files via a different domain, and thus client-side scripts executed from that domain cannot access the login cookies. Affects Special:Undelete, img_auth.php and thumb.php. - When streaming files via index.php, use the MIME type detected from the file extension, not from the data. This reduces the XSS attack surface. - Blacklist redirects via Special:Filepath. Such redirects exacerbate any XSS vulnerabilities involving uploads of files containing scripts. Closes: #508869, #508870 -- Giuseppe Iuculano <giuse...@iuculano.it> Sun, 18 Jan 2009 11:54:02 +0100 Cheers, Giuseppe
mediawiki_1.12.0-2lenny2.debdiff.gz
Description: GNU Zip compressed data
signature.asc
Description: OpenPGP digital signature