2012
mediawiki (1:1.15.5-2squeeze4) stable; urgency=low
* Disable CVE-2011-4360.patch, it causes ugly error messages in certain situations. The CVE does not apply to this release.
-- Jonathan Wiltshire <jmw@debian.org> Sat, 21 Jan 2012 20:59:36 +0000
mediawiki (1:1.15.5-2squeeze3) stable; urgency=low
* debian/patches/CVE-2012-0046.patch: security fix for unintended exposure of hidden content through cache pollution, CVE-2012-0046 (Closes: #655694)
-- Jonathan Wiltshire <jmw@debian.org> Fri, 13 Jan 2012 10:54:43 +0000
2011
mediawiki (1:1.15.5-2squeeze2) stable-security; urgency=low
* Security fixes from upstream (Closes: #650434): CVE-2011-4360 - page titles on private wikis could be exposed bypassing different page ids to index.php CVE-2011-4361 - action=ajax requests were dispatched to the relevant function without any read permission checks being done CVE-2011-1578 - XSS for IE <= 6 CVE-2011-1579 - CSS validation error in wikitext parser CVE-2011-1580 - access control checks on transwiki import feature CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
-- Jonathan Wiltshire <jmw@debian.org> Sun, 18 Dec 2011 23:17:47 +0000
mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
* CVE-2011-0047: Protect against a CSS injection vulnerability (closes: #611787)
-- Jonathan Wiltshire <debian@jwiltshire.org.uk> Sun, 06 Feb 2011 13:45:39 +0000
mediawiki (1:1.15.5-2) testing-security; urgency=high
* CVE-2011-0003: Protect against clickjacking by sending the X-Frame-Options header in all pages (except normal page views and a few selected special pages). Patch as released by upstream
-- Jonathan Wiltshire <debian@jwiltshire.org.uk> Tue, 04 Jan 2011 22:39:26 +0000
2010
mediawiki (1:1.15.5-1) unstable; urgency=high
[ Thorsten Glaser ]
* debian/patches/suppress_warnings.patch: new, suppress warnings
about session_start() being called twice also in the PHP error
log, not just MediaWiki’s, for example run from FusionForge
[ Jonathan Wiltshire ]
* New upstream security release:
- correctly set caching headers to prevent private data leakage
(closes: #590660, LP: #610782)
- fix XSS vulnerability in profileinfo.php
(closes: #590669, LP: #610819)
-- Jonathan Wiltshire <debian@jwiltshire.org.uk> Wed, 28 Jul 2010 12:23:04 +0100
mediawiki (1:1.15.4-2) unstable; urgency=low
[ Thorsten Glaser ]
* debian/control: add Vcs-SVN and Vcs-Browser
[ Jonathan Wiltshire ]
* debian/source/format: Switch to source format 3.0 (quilt)
* debian/rules: Drop CDBS quilt logic
* debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
remove the original definition (LP: #406358)
* debian/README.source: document use of quilt and format 3.0 (quilt)
* New patch backup_documentation.patch improves documentation of
maintenance/dumpBackup.php (closes: #572355)
* Standards version 3.9.0 (no changes)
-- Jonathan Wiltshire <debian@jwiltshire.org.uk> Tue, 29 Jun 2010 14:20:35 +0100
mediawiki (1:1.15.4-1) unstable; urgency=high
[ Jonathan Wiltshire ] * New upstream security release (closes: #585918). * CVE-2010-1647: Fix a cross-site scripting (XSS) vulnerability which allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer. * CVE-2010-1648: Fix a cross-site request forgery (CSRF) vulnerability in the login interface which allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form. [ Romain Beauxis ] * Put debian's package version in declared version. Should help sysadmins to keep track of installed versions, in particular with regard to security updates. * Added Jonathan Wiltshire to uploaders. * Do not clan math dir if it does not exist (for instance when running clean from SVN).
-- Romain Beauxis <toots@rastageeks.org> Mon, 21 Jun 2010 23:41:29 +0200
mediawiki (1:1.15.3-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password."
-- Romain Beauxis <toots@rastageeks.org> Fri, 16 Apr 2010 14:44:09 -0500
mediawiki (1:1.15.2-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected."
* Updated standards.
* Removed section about upgrading from mediawiki1.x packages
in README.Debian since they do not exist in any supported distribution
anymore.
* Switched php5-gd and imagemagick in Suggests. Closes: #542008
* Backported patch from revision 51083 to fix a bug with invalid titles.
Closes: #537134
* Backported patch from revision 61090 to add a unique guid per RSS
feed element.
Closes: #383130
* Refreshed patches.
-- Romain Beauxis <toots@rastageeks.org> Mon, 15 Mar 2010 11:41:07 -0500
2009
mediawiki (1:1.15.1-1) unstable; urgency=low
* New upstream release.
* Ack previous NMU, thanks to Nico Golde for taking care
of this.
-- Romain Beauxis <toots@rastageeks.org> Sun, 09 Aug 2009 10:46:41 -0500
mediawiki (1:1.15.0-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cross-site scripting in [[Special:Block]]
(No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
-- Nico Golde <nion@debian.org> Sun, 26 Jul 2009 18:11:07 +0200
mediawiki (1:1.15.0-1) unstable; urgency=low
* New upstream release. * Upstream added support for OASIS documents. Closes: #530328 * Refreshed quilt patches * Bumped standards versions to 3.8.2 * Bumped compat to 7 * Pointed to GPL-2 in debian/copyright * Added php5-sqlite to possible DB backend dependencies. Closes: #501569 * Proofread README.Debian, upgrade is documented there. Closes: #520121
-- Romain Beauxis <toots@rastageeks.org> Fri, 19 Jun 2009 01:38:50 +0200
mediawiki (1:1.14.0-1) unstable; urgency=low
* New upstream release.
* Fixed issues in the installer:
"A number of cross-site scripting (XSS) security vulnerabilities were
discovered in the web-based installer (config/index.php).
These vulnerabilities all require a live installer once the installer
has been used to install a wiki, it is deactivated.
Note that cross-site scripting vulnerabilities can be used to attack
any website in the same cookie domain. So if you have an uninstalled
copy of MediaWiki on the same site as an active web service, MediaWiki
could be used to attack the active service."
Closes: #514547
* Fixed typo in README.Debian
Closes: #515192
* Updated japanese debconf translation, thanks to Hideki Yamane
Closes: #510896
* Added a file in debian/copyright
-- Romain Beauxis <toots@rastageeks.org> Fri, 06 Mar 2009 20:29:17 +0100
2008
mediawiki (1:1.13.3-1) unstable; urgency=low
* New upstream release. * Fix CVE-2008-5249: XSS vulnerability in MediaWiki: "An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and 1.13.2." Closes: #508868 * Fix CVE-2008-5250: several local script injection vulnerabilities in MediaWiki: "o A local script injection vulnerability affecting Internet Explorer clients for all MediaWiki installations with uploads enabled. o A local script injection vulnerability affecting clients with SVG scripting capability (such as Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled." Closes: #508869 * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import feature in MediaWiki: "A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki installations since the feature was introduced in 1.3.0." Closes: #508870
-- Romain Beauxis <toots@rastageeks.org> Thu, 18 Dec 2008 02:37:58 +0100
mediawiki (1:1.13.2-1) unstable; urgency=low
* New upstream release * Fix CVE-2008-4408: XSS in mediawiki: "Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the useskin parameter to an unspecified component." Closes: #501115
-- Romain Beauxis <toots@rastageeks.org> Sat, 11 Oct 2008 15:02:39 +0200
mediawiki (1:1.13.0-2) unstable; urgency=low
* Removed buggy postgresql patch Closes: #497042
-- Romain Beauxis <toots@rastageeks.org> Sat, 30 Aug 2008 14:06:47 +0200
mediawiki (1:1.13.0-1) unstable; urgency=low
* New upstream release * Fixed watch file. Closes: #490009 * Refreshed patches * Bumped standard-version to 3.8.0 * Fixed latex-related dependencies in mediawiki-math * Removed obsolete linda override, thanks lintian !
-- Romain Beauxis <toots@rastageeks.org> Sun, 17 Aug 2008 11:01:43 +0200
mediawiki (1:1.12.0-2) unstable; urgency=low
* Fixed postgresql dependency Closes: #472987 * Added instructions to install and upgrade Closes: #472990, #472831
-- Romain Beauxis <toots@rastageeks.org> Mon, 24 Mar 2008 02:49:15 +0100
mediawiki (1:1.12.0-1) unstable; urgency=low
* New upstream release
* Updated patch for postfix support: dropped what
has been implemented upstream
* Refreshed other patches, thanks to quilt
* Changed postgresql recommends to "postgresql" package
Closes: #469582
-- Romain Beauxis <toots@rastageeks.org> Mon, 24 Mar 2008 02:20:12 +0100
mediawiki (1:1.11.2-2) unstable; urgency=high
* Added patch to fix pgsql select, thanks to Marc Dequènes Closes: #469841 * Upated README.Debian to mention php5-gd instead of php5-gd2 and texlive-latex-base instead to tetex-bin. Closes: #469558 * still setting urgency to high since previous upload didn't make it to testing.
-- Romain Beauxis <toots@rastageeks.org> Mon, 03 Mar 2008 13:58:57 +0100
mediawiki (1:1.11.2-1) unstable; urgency=high
* New upstream release
* Security fix:
"Possible cross-site information leaks using the callback
parameter for JSON-formatted results in the API are prevented by
dropping user credentials."
* Added informations on LocalSettings.php in README.Debian
Closes: #462609
-- Romain Beauxis <toots@rastageeks.org> Mon, 03 Mar 2008 13:16:27 +0100
mediawiki (1:1.11.1-1) unstable; urgency=high
* New upstream release
* A potential XSS injection vector affecting
Microsoft Internet Explorer users has been
closed.
-- Romain Beauxis <toots@rastageeks.org> Sat, 26 Jan 2008 02:57:53 +0100
mediawiki (1:1.11.0-4) unstable; urgency=low
* Really add the patch for #459312
* Added also patch to fix #459617
Closes: #459617
* Merged two previous patches
-- Romain Beauxis <toots@rastageeks.org> Fri, 18 Jan 2008 16:14:59 +0100
mediawiki (1:1.11.0-3) unstable; urgency=low
* Really remove debian specific scripts
* Backported patch to fix unserialize with postgre
Closes: #459312
* Added finnish translation of the debconf templates, thanks to Esko
Arajärvi. Closes: #456983
* Updated standards to 3.7.3 (no changes)
-- Romain Beauxis <toots@rastageeks.org> Mon, 07 Jan 2008 15:03:15 +0100
2007
mediawiki (1:1.11.0-2) unstable; urgency=low
* Initial upload of 1.11.0 to unstable
-- Romain Beauxis <toots@rastageeks.org> Sat, 03 Nov 2007 16:39:47 +0100
mediawiki (1:1.11.0-1) experimental; urgency=low
* Removed mediawikiX versioned packages * Updated to mediawiki 1.11 * Removed automatic upgrade script * Updated README.Debian (Closes: #442311, #442302) * Changed default upload directory (Closes: #444445)
-- Romain Beauxis <toots@rastageeks.org> Sun, 21 Oct 2007 20:54:00 +0200
mediawiki (1:1.10) unstable; urgency=low
* Switched to mediawiki1.10 * Mediawiki1.10 recommends mediawiki-math (Closes: #428021)
-- Romain Beauxis <toots@rastageeks.org> Tue, 10 Jul 2007 19:29:01 +0200
mediawiki (1:1.9) unstable; urgency=low
* Switched to mediawiki1.9, closes: #392932 * Corrected typo in control, closes: #414121 * Seperated -math extension to a single package, closes: #401714
-- Romain Beauxis <toots@rastageeks.org> Thu, 12 Apr 2007 17:02:05 +0200
2006
mediawiki (1:1.7) unstable; urgency=low
* Initial Release
-- Romain Beauxis <toots@rastageeks.org> Mon, 6 Nov 2006 15:36:44 +0100