Public bug reported: Please sync mediawiki 1:1.15.3-1 (universe) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped: The Ubuntu package contains the upstream security fixes as included in the 1.15.2/3 package; only added manually to be sure only to get the security fixes after lucid feature freeze. Changelog entries since current maverick version 1:1.15.1-1ubuntu2: mediawiki (1:1.15.3-1) unstable; urgency=high * New upstream release. * Fixes security issue: "MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password." -- Romain Beauxis <to...@rastageeks.org> Fri, 16 Apr 2010 14:44:09 -0500 mediawiki (1:1.15.2-1) unstable; urgency=high * New upstream release. * Fixes security issue: "Two security issues were discovered: A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected." * Updated standards. * Removed section about upgrading from mediawiki1.x packages in README.Debian since they do not exist in any supported distribution anymore. * Switched php5-gd and imagemagick in Suggests. Closes: #542008 * Backported patch from revision 51083 to fix a bug with invalid titles. Closes: #537134 * Backported patch from revision 61090 to add a unique guid per RSS feed element. Closes: #383130 * Refreshed patches. -- Romain Beauxis <to...@rastageeks.org> Mon, 15 Mar 2010 11:41:07 -0500 ** Affects: mediawiki (Ubuntu) Importance: Wishlist Status: Confirmed ** Changed in: mediawiki (Ubuntu) Importance: Undecided => Wishlist ** Changed in: mediawiki (Ubuntu) Status: New => Confirmed -- Sync mediawiki 1:1.15.3-1 (universe) from Debian unstable (main) https://bugs.launchpad.net/bugs/584360 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs