lp:debian/lenny/mediawiki

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

8. By Jonathan Wiltshire on 2011-12-18

Security fixes from upstream (Closes: #650434):
CVE-2011-4360page titles on private wikis could be exposed
bypassing different page ids to index.php
CVE-2011-4361action=ajax requests were dispatched to the
relevant function without any read permission checks being done
CVE-2011-1578XSS for IE <= 6
CVE-2011-1579CSS validation error in wikitext parser
CVE-2011-1580access control checks on transwiki import feature
CVE-2011-1587fix incomplete patch for CVE-2011-1578

7. By Jonathan Wiltshire on 2011-02-06

* Oldstable upload.
* CVE-2011-0047: Protect against a CSS injection vulnerability
  (closes: #611787)

6. By Jonathan Wiltshire on 2011-01-04

* Stable upload.
* CVE-2011-0003: Minimise risk of clickjacking by denying
  framing on all pages except normal page views and a few
  selected special pages

5. By Romain Beauxis on 2010-04-16

Security upload. Fixes the following issue (CVE-2010-1150):
"MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.

4. By Romain Beauxis on 2009-02-07

* Security upload.
* Applied changes from 1.12.4:
"A number of cross-site scripting (XSS) security vulnerabilities were
 discovered in the web-based installer (config/index.php). These
 vulnerabilities all require a live installer -- once the installer
 has been used to install a wiki, it is deactivated."
Closes: #514547

3. By Giuseppe Iuculano on 2009-01-18

* Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252
* debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
  - Fixed output escaping for reporting of non-MediaWiki exceptions.
    Potential XSS if an extension throws one of these with user input.
  - Avoid fatal error in profileinfo.php when not configured.
  - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
    transwiki import feature.
  - Add a .htaccess to deleted images directory for additional protection
    against exposure of deleted files with known SHA-1 hashes on default
    installations.
  - Fixed XSS vulnerability for Internet Explorer clients, via file uploads
    which are interpreted by IE as HTML.
  - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
    uploads are enabled. Firefox 1.5+ is affected.
  - Avoid streaming uploaded files to the user via index.php. This allows
    security-conscious users to serve uploaded files via a different domain,
    and thus client-side scripts executed from that domain cannot access the
    login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
  - When streaming files via index.php, use the MIME type detected from the
    file extension, not from the data. This reduces the XSS attack surface.
  - Blacklist redirects via Special:Filepath. Such redirects exacerbate any
    XSS vulnerabilities involving uploads of files containing scripts.
Closes: #508869, #508870

2. By Romain Beauxis on 2008-10-14

Security update, fix CVE-2008-4408:
"Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component."
Closes: #501115

1. By Romain Beauxis on 2006-11-06

Initial Release