Public bug reported:
Please sync mediawiki 1:1.15.3-1 (universe) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
The Ubuntu package contains the upstream security fixes as included in the
1.15.2/3 package; only added manually to be sure only to get the security
fixes after lucid feature freeze.
Changelog entries since current maverick version 1:1.15.1-1ubuntu2:
mediawiki (1:1.15.3-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password."
-- Romain Beauxis <to...@rastageeks.org> Fri, 16 Apr 2010 14:44:09
-0500
mediawiki (1:1.15.2-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected."
* Updated standards.
* Removed section about upgrading from mediawiki1.x packages
in README.Debian since they do not exist in any supported distribution
anymore.
* Switched php5-gd and imagemagick in Suggests. Closes: #542008
* Backported patch from revision 51083 to fix a bug with invalid titles.
Closes: #537134
* Backported patch from revision 61090 to add a unique guid per RSS
feed element.
Closes: #383130
* Refreshed patches.
-- Romain Beauxis <to...@rastageeks.org> Mon, 15 Mar 2010 11:41:07
-0500
** Affects: mediawiki (Ubuntu)
Importance: Wishlist
Status: Confirmed
** Changed in: mediawiki (Ubuntu)
Importance: Undecided => Wishlist
** Changed in: mediawiki (Ubuntu)
Status: New => Confirmed
--
Sync mediawiki 1:1.15.3-1 (universe) from Debian unstable (main)
https://bugs.launchpad.net/bugs/584360
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
