Your message dated Fri, 06 Mar 2009 21:02:18 +0000 with message-id <e1lfhbs-0005h7...@ries.debian.org> and subject line Bug#514547: fixed in mediawiki 1:1.14.0-1 has caused the Debian Bug report #514547, regarding mediawiki: new upstream release, fixes security issues in the installer to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 514547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mediawiki Version: 1:1.12.0-2lenny3 Severity: grave Tags: security Justification: user security hole Hi all ! A new upstream release of mediawiki was done in order to fix security issues in the installer: "This is a security release of 1.13.4, 1.12.4 and 1.6.12. A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated. Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service. If you are hosting an old copy of MediaWiki that you have never installed, we advise you to remove it from the web. Additionally, we are releasing 1.14.0rc1, the first release candidate of the 2009 Q1 branch. Brave souls are encouraged to download it and try it out. Note that we have disabled SQLite installation in 1.14, due to the incompleteness of the implementation. We intend to restore it in 1.15. We're not sure how many people are using SQLite, so contact us if our treatment of it is causing you problems." I have already imported the patch in the lenny/ branch on the SVN[1], but I have absolutely no time to do serious testings, so any interested contributor would be much welcome :) Romain [1]: svn{+ssh}://svn.debian.org/svn/pkg-mediawiki/mediawiki/lenny -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mediawiki depends on: ii apache2-mpm-worker [httpd 2.2.11-1 Apache HTTP Server - high speed th ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap ii php5 5.2.6.dfsg.1-2 server-side, HTML-embedded scripti ii php5-mysql 5.2.6.dfsg.1-2 MySQL module for php5 Versions of packages mediawiki recommends: ii mysql-server-5.0 [mysql-s 5.0.67-1 MySQL database server binaries ii php5-cli 5.2.6.dfsg.1-2 command-line interpreter for the p Versions of packages mediawiki suggests: pn clamav <none> (no description available) ii imagemagick 7:6.3.7.9.dfsg1-2.1+lenny1 image manipulation programs pn mediawiki-mat <none> (no description available) pn memcached <none> (no description available) -- debconf information: mediawiki/webserver: apache2
--- End Message ---
--- Begin Message ---Source: mediawiki Source-Version: 1:1.14.0-1 We believe that the bug you reported is fixed in the latest version of mediawiki, which is due to be installed in the Debian FTP archive: mediawiki-math_1.14.0-1_amd64.deb to pool/main/m/mediawiki/mediawiki-math_1.14.0-1_amd64.deb mediawiki_1.14.0-1.diff.gz to pool/main/m/mediawiki/mediawiki_1.14.0-1.diff.gz mediawiki_1.14.0-1.dsc to pool/main/m/mediawiki/mediawiki_1.14.0-1.dsc mediawiki_1.14.0-1_all.deb to pool/main/m/mediawiki/mediawiki_1.14.0-1_all.deb mediawiki_1.14.0.orig.tar.gz to pool/main/m/mediawiki/mediawiki_1.14.0.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 514...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Beauxis <to...@rastageeks.org> (supplier of updated mediawiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 06 Mar 2009 20:29:17 +0100 Source: mediawiki Binary: mediawiki mediawiki-math Architecture: source all amd64 Version: 1:1.14.0-1 Distribution: unstable Urgency: low Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-de...@lists.alioth.debian.org> Changed-By: Romain Beauxis <to...@rastageeks.org> Description: mediawiki - website engine for collaborative work mediawiki-math - math rendering plugin for MediaWiki Closes: 510896 514547 515192 Changes: mediawiki (1:1.14.0-1) unstable; urgency=low . * New upstream release. * Fixed issues in the installer: "A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer once the installer has been used to install a wiki, it is deactivated. . Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service." Closes: #514547 * Fixed typo in README.Debian Closes: #515192 * Updated japanese debconf translation, thanks to Hideki Yamane Closes: #510896 * Added a file in debian/copyright Checksums-Sha1: 3f5dfb3d51b9680fa1bdaf4839963aff56cdcdf5 1527 mediawiki_1.14.0-1.dsc 47d98ead3ba1c5c28e7cd30806febf8db650e7f6 10122254 mediawiki_1.14.0.orig.tar.gz 90e9c9c786846785ac4963dad9debc267a898bd8 28980 mediawiki_1.14.0-1.diff.gz 7b39938cf08049ae6a51dc8b973d2ef599203daf 10099504 mediawiki_1.14.0-1_all.deb fb4d5824a7c1730d0a1c8c48b49aa1408a7d3614 178516 mediawiki-math_1.14.0-1_amd64.deb Checksums-Sha256: 6afb496b5ce4304fce9c7fc9004acca6b75c987a19eea464520eba945348c2d8 1527 mediawiki_1.14.0-1.dsc 4a50f891548e0de8d2f12de14dd745f93d798fef0f5de6968385ee7f9b1917ed 10122254 mediawiki_1.14.0.orig.tar.gz 810944cafb41f1d58ea549c25ebc3c7d35d8515b5214753b998c91a09271c036 28980 mediawiki_1.14.0-1.diff.gz 14008739156622804dfd4e69e5bef2f394a88d4ab6ce53b9892758c5ba52714c 10099504 mediawiki_1.14.0-1_all.deb 16f855a17bfcdf03994a5c272a12a22877299443c92791095fbce63204c22f70 178516 mediawiki-math_1.14.0-1_amd64.deb Files: 88ef8586c27b1ccffd9745499cd8767f 1527 web optional mediawiki_1.14.0-1.dsc 36bfd924e92b61a6f5fe70c6bc8e5aac 10122254 web optional mediawiki_1.14.0.orig.tar.gz 297116afcf4a3890213a71f338eb26ab 28980 web optional mediawiki_1.14.0-1.diff.gz ad3c19e158cef4aca041cc2b8da74081 10099504 web optional mediawiki_1.14.0-1_all.deb 6259b81af870c013a4ee6e01d5041681 178516 web optional mediawiki-math_1.14.0-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJJsX6tAAoJEAC5aaocqV0ZOsEH/iOkXBeInaN/XH8BtBKc7Sq7 yJeCpU1kQaBaLq0EYbYdTInBp9gkZQsO/FuQk4u5uKBKckD8QjWB246j9D0/LO28 U/w3id3eIHpdopZO3pi/eKL4kP3lsNouLk/+wjCa3RBwJCvmS7v6/MVPV+IBrl33 sanDNqAY8/9f7+svWm2Tb2RWg2npMMTXIjG+l/6auk1FH6AM+9Sh1mUnChP8ZDFB AUZhetV8ABbdbqNJoVNLDGj7G0FSYRkEjU/2VeJlKGlqGkNLB5vFezv4jO3bXhXm h7jOsMqRWrUHFpyW0BdSuUJL1+RS3zuUE2A+FKEpVakmDgXtdv+BlkDACs7Frtk= =Lc/1 -----END PGP SIGNATURE-----
--- End Message ---
