lp:ubuntu/maverick/mediawiki
- Get this branch:
- bzr branch lp:ubuntu/maverick/mediawiki
Branch information
Recent revisions
- 28. By Jonathan Wiltshire
-
[ Thorsten Glaser ]
* debian/patches/ suppress_ warnings. patch: new, suppress warnings
about session_start() being called twice also in the PHP error
log, not just MediaWiki’s, for example run from FusionForge[ Jonathan Wiltshire ]
* New upstream security release:
- correctly set caching headers to prevent private data leakage
(closes: #590660, LP: #610782)
- fix XSS vulnerability in profileinfo.php
(closes: #590669, LP: #610819) - 27. By Jonathan Wiltshire
-
[ Thorsten Glaser ]
* debian/control: add Vcs-SVN and Vcs-Browser[ Jonathan Wiltshire ]
* debian/source/ format: Switch to source format 3.0 (quilt)
* debian/rules: Drop CDBS quilt logic
* debian_specific_ config. patch: Don't just redefine MW_INSTALL_PATH,
remove the original definition (LP: #406358)
* debian/README. source: document use of quilt and format 3.0 (quilt)
* New patch backup_documentation. patch improves documentation of
maintenance/dumpBackup. php (closes: #572355)
* Standards version 3.9.0 (no changes) - 26. By Romain Beauxis
-
[ Jonathan Wiltshire ]
* New upstream security release (closes: #585918).
* CVE-2010-1647:
Fix a cross-site scripting (XSS) vulnerability which allows
remote attackers to inject arbitrary web script or HTML via crafted
Cascading Style Sheets (CSS) strings that are processed as script by
Internet Explorer.
* CVE-2010-1648:
Fix a cross-site request forgery (CSRF) vulnerability in the login interface
which allows remote attackers to hijack the authentication of users for
requests that (1) create accounts or (2) reset passwords, related to the
Special:Userlogin form.[ Romain Beauxis ]
* Put debian's package version in declared version.
Should help sysadmins to keep track of installed
versions, in particular with regard to security
updates.
* Added Jonathan Wiltshire to uploaders.
* Do not clan math dir if it does not exist (for instance
when running clean from SVN). - 25. By Andreas Wenning
-
* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
interface. Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset features were not
protected from CSRF. This could lead to unauthorised access to private
wikis. (LP: #586773)
- debian/patches/ CSRF-Special- Userlogin- no-CVE_ rev-66991. patch
- patch from upstream SVN rev. 66991
- http://lists.wikimedia .org/pipermail/ mediawiki- announce/ 2010-May/ 000091. html
- https://bugzilla. wikimedia. org/show_ bug.cgi? id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. (LP: #586773)
- debian/patches/ XSS-IE- no-CVE_ rev-66992. patch
- patch from upstream SVN rev. 66992
- http://lists.wikimedia .org/pipermail/ mediawiki- announce/ 2010-May/ 000091. html
- https://bugzilla. wikimedia. org/show_ bug.cgi? id=23687 - 24. By Andreas Wenning
-
* SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
attacker who controls a user account on the target wiki can force the
victim to login as the attacker, via a script on an external website.
IMPORTANT: Fix includes a breaking change to the API login action. Any
clients using it will need to be updated. (LP: #557159)
- debian/patches/ CSRF-no- CVE_rev- 64680.patch
- patch from upstream SVN rev. 64680
- http://lists.wikimedia .org/pipermail/ mediawiki- announce/ 2010-April/ 000090. html
- https://bugzilla. wikimedia. org/show_ bug.cgi? id=23076 - 23. By Andreas Wenning
-
* SECURITY UPDATE: CSS validation issue allowing external images to be included
into wikis where that is disallowed by conf. (LP: #537974)
- debian/patches/ CSS-no- CVE_rev- 63429.patch
- patch from upstream SVN rev. 63429
- http://lists.wikimedia .org/pipermail/ mediawiki- announce/ 2010-March/ 000088. html
* SECURITY UPDATE: Data leakage vulnerability in thumb.php affecting wikis
which restrict access to private files using eg. img_auth.php.
- debian/patches/ DataLeakage- no-CVE_ rev-63436. patch
- patch from upstream SVN rev. 63436
- http://lists.wikimedia .org/pipermail/ mediawiki- announce/ 2010-March/ 000088. html - 22. By Romain Beauxis
-
* New upstream release.
* Ack previous NMU, thanks to Nico Golde for taking care
of this. - 21. By Nico Golde <email address hidden>
-
* Non-maintainer upload by the Security Team.
* Fix cross-site scripting in [[Special:Block]]
(No CVE id yet; XSS-no-CVE.patch; Closes: #537634). - 20. By Romain Beauxis
-
* New upstream release.
* Upstream added support for OASIS documents.
Closes: #530328
* Refreshed quilt patches
* Bumped standards versions to 3.8.2
* Bumped compat to 7
* Pointed to GPL-2 in debian/copyright
* Added php5-sqlite to possible DB backend dependencies.
Closes: #501569
* Proofread README.Debian, upgrade is documented there.
Closes: #520121 - 19. By Andreas Wenning
-
* Merge from debian unstable, remaining changes:
- Add debian/patches/ add-OOo- Mimetypes. diff
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/natty/mediawiki