lp:debian/mediawiki

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

64. By Thijs Kinkhorst on 2015-04-06

* Non-maintainer upload.
* Add patch fixing several security issues:
  - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that
     contain XML entities, to prevent various DoS attacks.
  - (bug T88310) SECURITY: Always expand xml entities when checking
    SVG's.
  - (bug T73394) SECURITY: Escape > in Html::expandAttributes to
    prevent XSS.
  - (bug T85855) SECURITY: Don't execute another user's CSS or JS
    on preview.
  - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues
    fixed in SVG filtering to prevent XSS and protect viewer's
    privacy.

63. By Sebastien Delafond on 2014-12-21

* Non-maintainer upload.
* Add patch fixing T76686: thumb.php outputs wikitext message as raw
  HTML, which could lead to xss. Permission to edit MediaWiki namespace
  is required to exploit this.

62. By Sebastien Delafond on 2014-12-14

* Non-maintainer upload.
* CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
  poses a potentially severe security problem for API clients written in
  PHP, in that format=php is affected (Closes: #772764).

61. By Thorsten Glaser on 2014-10-07

* Team upload.
* Remove myself from Uploaders.

60. By Thorsten Glaser on 2014-10-02

* Make debian/rules get-orig-source-tg call uscan automatically
* New upstream security release:
  - (bug 70672) SECURITY: OutputPage: Remove separation of css
    and js module allowance.

59. By Thorsten Glaser on 2014-09-25

[ Mert Dirik ]
* Update turkish Debconf translation (Closes: #759878)

[ Thorsten Glaser ]
* Remove Romain Beauxis’ bouncing eMail address
* Acknowledge NMU (1:1.19.18+dfsg-0.1) – thanks!
* New upstream security and maintenance release:
  - (bug 69008) SECURITY: Enhance CSS filtering in SVG files.
    Filter <style> elements; normalize style elements and
    attributes before filtering; add checks for attributes that
    contain css; add unit tests for html5sec and reported bugs.
* Bump Policy (no change required)
* Update lintian overrides

58. By Salvatore Bonaccorso on 2014-08-24

* Non-maintainer upload with maintainers approval.
* Imported Upstream version 1.19.18+dfsg
  (Closes: #758510)
  - CVE-2014-5241 (bug 68187) SECURITY: Prepend jsonp callback with comment.
  - CVE-2014-5243 (bug 65778) SECURITY: Copy prevent-clickjacking between
    OutputPage and ParserOutput.

57. By Thorsten Glaser on 2014-06-26

* New upstream security and maintenance release:
  - (bug 65839) SECURITY: Prevent external resources in SVG files.
  - (bug 66428) MimeMagic: Don't seek before BOF. This has weird
    side effects like only extracting the tail of the file partially
    or not at all.
* Update lintian overrides

56. By Thorsten Glaser on 2014-06-11

* New upstream security and maintenance release:
  - CVE-2014-3966 (bug 65501) SECURITY: Don't parse usernames as
    wikitext on Special:PasswordReset.
* Update debian/upstream/signing-key.asc

55. By Thorsten Glaser on 2014-04-08

* Depend on recent enough php5-common version to be able to use
  php5{en,dis}mod in maintainer scripts (Closes: #743893)
* Urgency high because this rides on the previous security fix