Created by James Westby on 2009-07-27 and last modified on 2013-09-08
Get this branch:
bzr branch lp:debian/squeeze/mediawiki
Members of Ubuntu branches can upload to this branch. Log in for directions.

Related bugs

Related blueprints

Branch information

Ubuntu branches

Recent revisions

30. By Jonathan Wiltshire on 2013-09-08

CVE-2013-4302: apply patch from upstream to prevent
access to anti-CSRF tokens via JSONP

29. By Jonathan Wiltshire on 2012-12-16

[ Dominik George ]
* Security fixes from upstream (Closes: #694998):
  - CVE-2012-5391 - Prevent session fixation in Special:UserLogin
  - Prevent linker regex from exceeding backtrack limit

28. By Jonathan Wiltshire on 2012-01-21

Disable CVE-2011-4360.patch, it causes ugly error messages in certain
situations. The CVE does not apply to this release.

27. By Jonathan Wiltshire on 2011-02-06

CVE-2011-0047: Protect against a CSS injection vulnerability
(closes: #611787)

26. By Jonathan Wiltshire on 2011-01-04

CVE-2011-0003: Protect against clickjacking by sending the
X-Frame-Options header in all pages (except normal page views
and a few selected special pages). Patch as released by upstream

25. By Jonathan Wiltshire on 2010-07-28

[ Thorsten Glaser ]
* debian/patches/suppress_warnings.patch: new, suppress warnings
  about session_start() being called twice also in the PHP error
  log, not just MediaWiki’s, for example run from FusionForge

[ Jonathan Wiltshire ]
* New upstream security release:
  - correctly set caching headers to prevent private data leakage
       (closes: #590660, LP: #610782)
  - fix XSS vulnerability in profileinfo.php
       (closes: #590669, LP: #610819)

24. By Jonathan Wiltshire on 2010-06-29

[ Thorsten Glaser ]
* debian/control: add Vcs-SVN and Vcs-Browser

[ Jonathan Wiltshire ]
* debian/source/format: Switch to source format 3.0 (quilt)
* debian/rules: Drop CDBS quilt logic
* debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
  remove the original definition (LP: #406358)
* debian/README.source: document use of quilt and format 3.0 (quilt)
* New patch backup_documentation.patch improves documentation of
  maintenance/dumpBackup.php (closes: #572355)
* Standards version 3.9.0 (no changes)

23. By Romain Beauxis on 2010-06-21

[ Jonathan Wiltshire ]
* New upstream security release (closes: #585918).
* CVE-2010-1647:
  Fix a cross-site scripting (XSS) vulnerability which allows
  remote attackers to inject arbitrary web script or HTML via crafted
  Cascading Style Sheets (CSS) strings that are processed as script by
  Internet Explorer.
* CVE-2010-1648:
  Fix a cross-site request forgery (CSRF) vulnerability in the login interface
  which allows remote attackers to hijack the authentication of users for
  requests that (1) create accounts or (2) reset passwords, related to the
  Special:Userlogin form.

[ Romain Beauxis ]
* Put debian's package version in declared version.
  Should help sysadmins to keep track of installed
  versions, in particular with regard to security
* Added Jonathan Wiltshire to uploaders.
* Do not clan math dir if it does not exist (for instance
  when running clean from SVN).

22. By Romain Beauxis on 2010-04-16

* New upstream release.
* Fixes security issue:
"MediaWiki was found to be vulnerable to login CSRF. An attacker who
 controls a user account on the target wiki can force the victim to log
 in as the attacker, via a script on an external website. If the wiki is
 configured to allow user scripts, say with "$wgAllowUserJs = true" in
 LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password."

21. By Romain Beauxis on 2010-03-15

* New upstream release.
* Fixes security issue:
"Two security issues were discovered:

 A CSS validation issue was discovered which allows editors to display
 external images in wiki pages. This is a privacy concern on public
 wikis, since a malicious user may link to an image on a server they
 control, which would allow that attacker to gather IP addresses and
 other information from users of the public wiki. All sites running
 publicly-editable MediaWiki installations are advised to upgrade. All
 versions of MediaWiki (prior to this one) are affected.

 A data leakage vulnerability was discovered in thumb.php which affects
 wikis which restrict access to private files using img_auth.php, or
 some similar scheme. All versions of MediaWiki since 1.5 are affected."
* Updated standards.
* Removed section about upgrading from mediawiki1.x packages
  in README.Debian since they do not exist in any supported distribution
* Switched php5-gd and imagemagick in Suggests. Closes: #542008
* Backported patch from revision 51083 to fix a bug with invalid titles.
Closes: #537134
* Backported patch from revision 61090 to add a unique guid per RSS
  feed element.
Closes: #383130
* Refreshed patches.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.