Ubuntu
mediawiki package

lp:ubuntu/precise/mediawiki

  1. Precise (12.04)
  2. precise
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/precise/mediawiki
Members of Ubuntu branches can upload to this branch. Log in for directions.

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Mature

Recent revisions

34. By Thorsten Glaser

debian/patches/CVE-2011-4360.patch: remove – the information
disclosure does not happen on 1.15 and the patch would not
work anyway because the OutputPage object has no setTitle
method (this prevents a PHP fatal error when someone has no
permissions, instead reverting to the pre-1:1.15.5-4 behaviour
of showing a page asking the user to log in)

33. By Jonathan Wiltshire

Security fixes from upstream:
CVE-2011-1578XSS for IE <= 6
CVE-2011-1579CSS validation error in wikitext parser
CVE-2011-1580access control checks on transwiki import feature
CVE-2011-1587fix incomplete patch for CVE-2011-1578

32. By Jonathan Wiltshire

[ Thorsten Glaser ]
* debian/patches/fix_invalid_sql.patch: new (Closes: #615983)

[ Jonathan Wiltshire ]
* Security fixes from upstream (Closes: #650434):
  CVE-2011-4360 - page titles on private wikis could be exposed
  bypassing different page ids to index.php
  CVE-2011-4361 - action=ajax requests were dispatched to the
  relevant function without any read permission checks being done

31. By Adam Conrad

Rebuild to pick up armel ocaml fixes.

30. By Jonathan Wiltshire

[ Thorsten Glaser ]
* debian/patches/fix_datetime.patch: new, convert argument into
  the format expected by other methods, fixes date/time output
  in e.g. the News/RSS extensions

[ Jonathan Wiltshire ]
* CVE-2011-0047: Protect against a CSS injection vulnerability
  (closes: #611787)
* Update my email address

29. By Jonathan Wiltshire

CVE-2011-0003: Protect against clickjacking by sending the
X-Frame-Options header in all pages (except normal page views
and a few selected special pages). Patch as released by upstream

28. By Jonathan Wiltshire

[ Thorsten Glaser ]
* debian/patches/suppress_warnings.patch: new, suppress warnings
  about session_start() being called twice also in the PHP error
  log, not just MediaWiki’s, for example run from FusionForge

[ Jonathan Wiltshire ]
* New upstream security release:
  - correctly set caching headers to prevent private data leakage
       (closes: #590660, LP: #610782)
  - fix XSS vulnerability in profileinfo.php
       (closes: #590669, LP: #610819)

27. By Jonathan Wiltshire

[ Thorsten Glaser ]
* debian/control: add Vcs-SVN and Vcs-Browser

[ Jonathan Wiltshire ]
* debian/source/format: Switch to source format 3.0 (quilt)
* debian/rules: Drop CDBS quilt logic
* debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
  remove the original definition (LP: #406358)
* debian/README.source: document use of quilt and format 3.0 (quilt)
* New patch backup_documentation.patch improves documentation of
  maintenance/dumpBackup.php (closes: #572355)
* Standards version 3.9.0 (no changes)

26. By Romain Beauxis

[ Jonathan Wiltshire ]
* New upstream security release (closes: #585918).
* CVE-2010-1647:
  Fix a cross-site scripting (XSS) vulnerability which allows
  remote attackers to inject arbitrary web script or HTML via crafted
  Cascading Style Sheets (CSS) strings that are processed as script by
  Internet Explorer.
* CVE-2010-1648:
  Fix a cross-site request forgery (CSRF) vulnerability in the login interface
  which allows remote attackers to hijack the authentication of users for
  requests that (1) create accounts or (2) reset passwords, related to the
  Special:Userlogin form.

[ Romain Beauxis ]
* Put debian's package version in declared version.
  Should help sysadmins to keep track of installed
  versions, in particular with regard to security
  updates.
* Added Jonathan Wiltshire to uploaders.
* Do not clan math dir if it does not exist (for instance
  when running clean from SVN).

25. By Andreas Wenning

* SECURITY UPDATE: A CSRF vulnerability was discovered in our login
  interface. Although regular logins are protected as of 1.15.3, it was
  discovered that the account creation and password reset features were not
  protected from CSRF. This could lead to unauthorised access to private
  wikis. (LP: #586773)
  - debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
  - patch from upstream SVN rev. 66991
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
  - https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
* SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
  allows attackers to construct CSS strings which are treated as safe by
  previous versions of MediaWiki, but are decoded to unsafe strings by
  Internet Explorer. (LP: #586773)
  - debian/patches/XSS-IE-no-CVE_rev-66992.patch
  - patch from upstream SVN rev. 66992
  - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
  - https://bugzilla.wikimedia.org/show_bug.cgi?id=23687

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/quantal/mediawiki
This branch contains Public information 
Everyone can see this information.

Subscribers