Bug#514547: marked as done (mediawiki: new upstream release, fixes security issues in the installer)
Your message dated Sat, 11 Apr 2009 16:47:31 + with message-id e1lsgmd-0001vq...@ries.debian.org and subject line Bug#514547: fixed in mediawiki 1:1.12.0-2lenny3 has caused the Debian Bug report #514547, regarding mediawiki: new upstream release, fixes security issues in the installer to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 514547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: mediawiki Version: 1:1.12.0-2lenny3 Severity: grave Tags: security Justification: user security hole Hi all ! A new upstream release of mediawiki was done in order to fix security issues in the installer: This is a security release of 1.13.4, 1.12.4 and 1.6.12. A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated. Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service. If you are hosting an old copy of MediaWiki that you have never installed, we advise you to remove it from the web. Additionally, we are releasing 1.14.0rc1, the first release candidate of the 2009 Q1 branch. Brave souls are encouraged to download it and try it out. Note that we have disabled SQLite installation in 1.14, due to the incompleteness of the implementation. We intend to restore it in 1.15. We're not sure how many people are using SQLite, so contact us if our treatment of it is causing you problems. I have already imported the patch in the lenny/ branch on the SVN[1], but I have absolutely no time to do serious testings, so any interested contributor would be much welcome :) Romain [1]: svn{+ssh}://svn.debian.org/svn/pkg-mediawiki/mediawiki/lenny -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mediawiki depends on: ii apache2-mpm-worker [httpd 2.2.11-1 Apache HTTP Server - high speed th ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii mime-support 3.44-1 MIME files 'mime.types' 'mailcap ii php5 5.2.6.dfsg.1-2 server-side, HTML-embedded scripti ii php5-mysql5.2.6.dfsg.1-2 MySQL module for php5 Versions of packages mediawiki recommends: ii mysql-server-5.0 [mysql-s 5.0.67-1 MySQL database server binaries ii php5-cli 5.2.6.dfsg.1-2 command-line interpreter for the p Versions of packages mediawiki suggests: pn clamavnone (no description available) ii imagemagick 7:6.3.7.9.dfsg1-2.1+lenny1 image manipulation programs pn mediawiki-mat none (no description available) pn memcached none (no description available) -- debconf information: mediawiki/webserver: apache2 ---End Message--- ---BeginMessage--- Source: mediawiki Source-Version: 1:1.12.0-2lenny3 We believe that the bug you reported is fixed in the latest version of mediawiki, which is due to be installed in the Debian FTP archive: mediawiki-math_1.12.0-2lenny3_amd64.deb to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny3_amd64.deb mediawiki_1.12.0-2lenny3.diff.gz to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3.diff.gz mediawiki_1.12.0-2lenny3.dsc to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3.dsc mediawiki_1.12.0-2lenny3_all.deb to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 514...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Beauxis to...@rastageeks.org (supplier of updated mediawiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
Bug#514547: marked as done (mediawiki: new upstream release, fixes security issues in the installer)
Your message dated Wed, 25 Mar 2009 19:53:58 + with message-id e1lmzak-0005rb...@ries.debian.org and subject line Bug#514547: fixed in mediawiki 1:1.12.0-2lenny3 has caused the Debian Bug report #514547, regarding mediawiki: new upstream release, fixes security issues in the installer to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 514547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: mediawiki Version: 1:1.12.0-2lenny3 Severity: grave Tags: security Justification: user security hole Hi all ! A new upstream release of mediawiki was done in order to fix security issues in the installer: This is a security release of 1.13.4, 1.12.4 and 1.6.12. A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated. Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service. If you are hosting an old copy of MediaWiki that you have never installed, we advise you to remove it from the web. Additionally, we are releasing 1.14.0rc1, the first release candidate of the 2009 Q1 branch. Brave souls are encouraged to download it and try it out. Note that we have disabled SQLite installation in 1.14, due to the incompleteness of the implementation. We intend to restore it in 1.15. We're not sure how many people are using SQLite, so contact us if our treatment of it is causing you problems. I have already imported the patch in the lenny/ branch on the SVN[1], but I have absolutely no time to do serious testings, so any interested contributor would be much welcome :) Romain [1]: svn{+ssh}://svn.debian.org/svn/pkg-mediawiki/mediawiki/lenny -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mediawiki depends on: ii apache2-mpm-worker [httpd 2.2.11-1 Apache HTTP Server - high speed th ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii mime-support 3.44-1 MIME files 'mime.types' 'mailcap ii php5 5.2.6.dfsg.1-2 server-side, HTML-embedded scripti ii php5-mysql5.2.6.dfsg.1-2 MySQL module for php5 Versions of packages mediawiki recommends: ii mysql-server-5.0 [mysql-s 5.0.67-1 MySQL database server binaries ii php5-cli 5.2.6.dfsg.1-2 command-line interpreter for the p Versions of packages mediawiki suggests: pn clamavnone (no description available) ii imagemagick 7:6.3.7.9.dfsg1-2.1+lenny1 image manipulation programs pn mediawiki-mat none (no description available) pn memcached none (no description available) -- debconf information: mediawiki/webserver: apache2 ---End Message--- ---BeginMessage--- Source: mediawiki Source-Version: 1:1.12.0-2lenny3 We believe that the bug you reported is fixed in the latest version of mediawiki, which is due to be installed in the Debian FTP archive: mediawiki-math_1.12.0-2lenny3_amd64.deb to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny3_amd64.deb mediawiki_1.12.0-2lenny3.diff.gz to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3.diff.gz mediawiki_1.12.0-2lenny3.dsc to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3.dsc mediawiki_1.12.0-2lenny3_all.deb to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 514...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Beauxis to...@rastageeks.org (supplier of updated mediawiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
Bug#514547: marked as done (mediawiki: new upstream release, fixes security issues in the installer)
Your message dated Fri, 06 Mar 2009 21:02:18 + with message-id e1lfhbs-0005h7...@ries.debian.org and subject line Bug#514547: fixed in mediawiki 1:1.14.0-1 has caused the Debian Bug report #514547, regarding mediawiki: new upstream release, fixes security issues in the installer to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 514547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: mediawiki Version: 1:1.12.0-2lenny3 Severity: grave Tags: security Justification: user security hole Hi all ! A new upstream release of mediawiki was done in order to fix security issues in the installer: This is a security release of 1.13.4, 1.12.4 and 1.6.12. A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated. Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service. If you are hosting an old copy of MediaWiki that you have never installed, we advise you to remove it from the web. Additionally, we are releasing 1.14.0rc1, the first release candidate of the 2009 Q1 branch. Brave souls are encouraged to download it and try it out. Note that we have disabled SQLite installation in 1.14, due to the incompleteness of the implementation. We intend to restore it in 1.15. We're not sure how many people are using SQLite, so contact us if our treatment of it is causing you problems. I have already imported the patch in the lenny/ branch on the SVN[1], but I have absolutely no time to do serious testings, so any interested contributor would be much welcome :) Romain [1]: svn{+ssh}://svn.debian.org/svn/pkg-mediawiki/mediawiki/lenny -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mediawiki depends on: ii apache2-mpm-worker [httpd 2.2.11-1 Apache HTTP Server - high speed th ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii mime-support 3.44-1 MIME files 'mime.types' 'mailcap ii php5 5.2.6.dfsg.1-2 server-side, HTML-embedded scripti ii php5-mysql5.2.6.dfsg.1-2 MySQL module for php5 Versions of packages mediawiki recommends: ii mysql-server-5.0 [mysql-s 5.0.67-1 MySQL database server binaries ii php5-cli 5.2.6.dfsg.1-2 command-line interpreter for the p Versions of packages mediawiki suggests: pn clamavnone (no description available) ii imagemagick 7:6.3.7.9.dfsg1-2.1+lenny1 image manipulation programs pn mediawiki-mat none (no description available) pn memcached none (no description available) -- debconf information: mediawiki/webserver: apache2 ---End Message--- ---BeginMessage--- Source: mediawiki Source-Version: 1:1.14.0-1 We believe that the bug you reported is fixed in the latest version of mediawiki, which is due to be installed in the Debian FTP archive: mediawiki-math_1.14.0-1_amd64.deb to pool/main/m/mediawiki/mediawiki-math_1.14.0-1_amd64.deb mediawiki_1.14.0-1.diff.gz to pool/main/m/mediawiki/mediawiki_1.14.0-1.diff.gz mediawiki_1.14.0-1.dsc to pool/main/m/mediawiki/mediawiki_1.14.0-1.dsc mediawiki_1.14.0-1_all.deb to pool/main/m/mediawiki/mediawiki_1.14.0-1_all.deb mediawiki_1.14.0.orig.tar.gz to pool/main/m/mediawiki/mediawiki_1.14.0.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 514...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Beauxis to...@rastageeks.org (supplier of updated mediawiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED