Debian Bug report logs - #650434
mediawiki: two security issues (fixed in 1.17.1)

version graph

Package: mediawiki; Maintainer for mediawiki is Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>; Source for mediawiki is src:mediawiki.

Reported by: Luciano Bello <luciano@debian.org>

Date: Tue, 29 Nov 2011 18:39:09 UTC

Severity: grave

Tags: patch, security

Fixed in versions mediawiki/1:1.15.5-4, mediawiki/1:1.12.0-2lenny9, mediawiki/1:1.15.5-2squeeze2

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#650434; Package mediawiki. (Tue, 29 Nov 2011 18:39:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Tue, 29 Nov 2011 18:39:12 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: mediawiki: two security issues (fixed in 1.17.1)
Date: Tue, 29 Nov 2011 19:38:46 +0100
Package: mediawiki
Severity: grave
Tags: security patch

Hi Mediawiki Maintenance Team,
	In the 1.17.1 release announce, two grave vulnerabilities have been 
fixed:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-
November/000104.html
	Patches are included in the wikimedia bugzilla:
https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
https://bugzilla.wikimedia.org/show_bug.cgi?id=32616
	Please, consider backport those patches to stable and oldstable since 
they look affected. Coordinate with the security team a DSA release.

Regards,

/luciano




Information stored :
Bug#650434; Package mediawiki. (Wed, 30 Nov 2011 11:03:35 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and filed, but not forwarded. (Wed, 30 Nov 2011 11:03:44 GMT) Full text and rfc822 format available.

Message #10 received at 650434-quiet@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: <650434-quiet@bugs.debian.org>, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: <submit@bugs.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#650434: mediawiki: two security issues (fixed in 1.17.1)
Date: Wed, 30 Nov 2011 10:56:22 +0000
This is CVE-2011-4360 and CVE-2011-4361.


--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Added tag(s) pending. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Wed, 30 Nov 2011 22:51:07 GMT) Full text and rfc822 format available.

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Wed, 30 Nov 2011 23:03:16 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Wed, 30 Nov 2011 23:03:16 GMT) Full text and rfc822 format available.

Message #17 received at 650434-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 650434-close@bugs.debian.org
Subject: Bug#650434: fixed in mediawiki 1:1.15.5-4
Date: Wed, 30 Nov 2011 23:02:30 +0000
Source: mediawiki
Source-Version: 1:1.15.5-4

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.15.5-4_amd64.deb
  to main/m/mediawiki/mediawiki-math_1.15.5-4_amd64.deb
mediawiki_1.15.5-4.debian.tar.gz
  to main/m/mediawiki/mediawiki_1.15.5-4.debian.tar.gz
mediawiki_1.15.5-4.dsc
  to main/m/mediawiki/mediawiki_1.15.5-4.dsc
mediawiki_1.15.5-4_all.deb
  to main/m/mediawiki/mediawiki_1.15.5-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 30 Nov 2011 22:42:52 +0000
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.15.5-4
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 615983 650434
Changes: 
 mediawiki (1:1.15.5-4) unstable; urgency=low
 .
   [ Thorsten Glaser ]
   * debian/patches/fix_invalid_sql.patch: new (Closes: #615983)
 .
   [ Jonathan Wiltshire ]
   * Security fixes from upstream (Closes: #650434):
     CVE-2011-4360 - page titles on private wikis could be exposed
     bypassing different page ids to index.php
     CVE-2011-4361 - action=ajax requests were dispatched to the
     relevant function without any read permission checks being done
Checksums-Sha1: 
 721badcb649f197f3d78705544dd499ef1a21574 2129 mediawiki_1.15.5-4.dsc
 af801e9595094076b47db833df7293a11e9ca741 38463 mediawiki_1.15.5-4.debian.tar.gz
 34ab8776d7d9ce0a7226cac3502db0eac1e652dd 11717960 mediawiki_1.15.5-4_all.deb
 a3bc84e474980c3e702aeb212178d01b3ae6bdac 322448 mediawiki-math_1.15.5-4_amd64.deb
Checksums-Sha256: 
 b0bb0c9f2382bcde251b726ce60a1bd34d3e985bf0e78e073c78625c6ff53823 2129 mediawiki_1.15.5-4.dsc
 9161f9d112a534e5f86c29ff6fa1acf7fd96ca988fd5de2a23190623d98bddc4 38463 mediawiki_1.15.5-4.debian.tar.gz
 76c32db1d852c28096350496a26a57fd1e6be51a4d78fed8722d592accecda2e 11717960 mediawiki_1.15.5-4_all.deb
 08c055ba17894ff0c97b05fc501964865bbffc6efcd6c7b878840304c93e720b 322448 mediawiki-math_1.15.5-4_amd64.deb
Files: 
 c077d8c1f8b3b4f57e37c89d60b43ce2 2129 web optional mediawiki_1.15.5-4.dsc
 111f57f8d2fd625265fa578fb8df091d 38463 web optional mediawiki_1.15.5-4.debian.tar.gz
 1b35894ae0d4297cf6981a720ee2b49f 11717960 web optional mediawiki_1.15.5-4_all.deb
 8e024984eb458c2ee9f4a8db4923aa5f 322448 web optional mediawiki-math_1.15.5-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJO1rGvAAoJEFOUR53TUkxREZIP/0XhK1ivIE5s0NsSRYlfwX0O
kr3DR/0CJxbY2iSgGWcH7LwQiH+AAchgOwrCvw2qvgMPu6lsaQDDSScRK77Y20E7
0YJgpLvFPMdeCePphMLEtCKZTW+D0nV3qo7qxpytDRPXZ7PN6wR6FcZwdVgltGoq
Abf2DiqTRkjAYwp3x+FP4qkQt5ku4deWcVFNZB2HoyWW0M0x3562Yz8kIE//8GOg
eTSUXh1Vose2FherzbG7HzjAueBlwl1kTzMbkSI7Y4qSzlRhoFzNBOmG77xtGbdg
hbD4OSN1MJ99xxQUY6Oxub6rc4w9/iZHM9t3SM7h2sxZFFvjnuApeiVP2WWCJR1x
49+Wrr5D3JRBsZpc/rY5oK8BUOeXxBXkdm7UH8UCuKcC0N4uL9YJCfLknnGuzXFM
fSfPf6rsT3XZcc0nZRqqBVXJl9/xas74BdaUai572Dag7Vbwt1tTN5pAcfN34l4y
DB8GBLLEZW2aKVyUs4gbH0sCJOh53RtMJ7TlWCdt1+Orapn6emLF0H02peKpV0DX
QPHyawI9S6scAT3lkem2izDOcA1LuLEHu7gxwNK+Yen5y1EC+OKWpnSiLn6fGJ/H
2QLAvoA0VtkTSTv8AMFYQwcPtYOSOH7AoiKv5eJRDmaKTlRNbfisuPCG661Xt+jO
OxazrIgxE7dYeNjDabXC
=gnT+
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#650434; Package mediawiki. (Mon, 05 Dec 2011 22:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 05 Dec 2011 22:33:05 GMT) Full text and rfc822 format available.

Message #22 received at 650434@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: team@security.debian.org
Cc: 650434@bugs.debian.org
Subject: Re: Bug#650434: mediawiki: two security issues (fixed in 1.17.1)
Date: Mon, 5 Dec 2011 22:22:11 +0000
[Message part 1 (text/plain, inline)]
On Tue, Nov 29, 2011 at 07:38:46PM +0100, Luciano Bello wrote:
> 	In the 1.17.1 release announce, two grave vulnerabilities have been 
> fixed:
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-
> November/000104.html
> 	Patches are included in the wikimedia bugzilla:
> https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
> https://bugzilla.wikimedia.org/show_bug.cgi?id=32616
> 	Please, consider backport those patches to stable and oldstable since 
> they look affected. Coordinate with the security team a DSA release.

Please find patches attached. The upload is unstable has migrated and these
backports have had limited testing from me, as I only have a small wiki to
play with.

If you approve please allocate a DSA number and I will write up the text.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
[mw_lenny9.diff (text/x-diff, attachment)]
[mw_lenny9.diffstat (text/plain, attachment)]
[mw_squeeze2.diff (text/x-diff, attachment)]
[mw_squeeze2.diffstat (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#650434; Package mediawiki. (Tue, 06 Dec 2011 19:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Tue, 06 Dec 2011 19:06:03 GMT) Full text and rfc822 format available.

Message #27 received at 650434@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Jonathan Wiltshire <jmw@debian.org>
Cc: team@security.debian.org, 650434@bugs.debian.org
Subject: Re: Bug#650434: mediawiki: two security issues (fixed in 1.17.1)
Date: Tue, 6 Dec 2011 20:01:18 +0100
On Mon, Dec 05, 2011 at 10:22:11PM +0000, Jonathan Wiltshire wrote:
> On Tue, Nov 29, 2011 at 07:38:46PM +0100, Luciano Bello wrote:
> > 	In the 1.17.1 release announce, two grave vulnerabilities have been 
> > fixed:
> > http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-
> > November/000104.html
> > 	Patches are included in the wikimedia bugzilla:
> > https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
> > https://bugzilla.wikimedia.org/show_bug.cgi?id=32616
> > 	Please, consider backport those patches to stable and oldstable since 
> > they look affected. Coordinate with the security team a DSA release.
> 
> Please find patches attached. The upload is unstable has migrated and these
> backports have had limited testing from me, as I only have a small wiki to
> play with.
> 
> If you approve please allocate a DSA number and I will write up the text.

What's the status of the following for stable?
http://security-tracker.debian.org/tracker/CVE-2011-1578
http://security-tracker.debian.org/tracker/CVE-2011-1579
http://security-tracker.debian.org/tracker/CVE-2011-1580

Otherwise, please upload. You can allocate the DSA ID yourself by running
bin/gen-DSA as outlined here and commit the new blob in data/DSA/list:
http://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecSecr

I'll take care of sending out the DSA.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#650434; Package mediawiki. (Sun, 18 Dec 2011 16:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Sun, 18 Dec 2011 16:39:06 GMT) Full text and rfc822 format available.

Message #32 received at 650434@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: team@security.debian.org
Cc: 650434@bugs.debian.org
Subject: Re: Bug#650434: mediawiki: two security issues (fixed in 1.17.1)
Date: Sun, 18 Dec 2011 16:34:51 +0000
[Message part 1 (text/plain, inline)]
On Tue, Dec 06, 2011 at 08:01:18PM +0100, Moritz Muehlenhoff wrote:
> What's the status of the following for stable?
> http://security-tracker.debian.org/tracker/CVE-2011-1578
> http://security-tracker.debian.org/tracker/CVE-2011-1579
> http://security-tracker.debian.org/tracker/CVE-2011-1580
> 
> Otherwise, please upload. You can allocate the DSA ID yourself by running
> bin/gen-DSA as outlined here and commit the new blob in data/DSA/list:
> http://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecSecr

New diffs attached, please review.

lenny9:
 debian/patches/CVE-2011-1578.patch     |  135 +++++++++++++++++++++++++++++++++
 debian/patches/CVE-2011-1579.patch     |   81 +++++++++++++++++++
 debian/patches/CVE-2011-1580.patch     |   52 ++++++++++++
 debian/patches/CVE-2011-1587.patch     |   37 +++++++++
 debian/patches/CVE-2011-4360.patch     |   31 +++++++
 debian/patches/CVE-2011-4361.patch     |   35 ++++++++
 mediawiki-1.12.0/debian/changelog      |   14 +++
 mediawiki-1.12.0/debian/patches/series |    6 +
 8 files changed, 391 insertions(+)

squeeze2:
 changelog                   |   14 ++++
 patches/CVE-2011-1578.patch |  134 ++++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2011-1579.patch |   80 ++++++++++++++++++++++++++
 patches/CVE-2011-1580.patch |   68 ++++++++++++++++++++++
 patches/CVE-2011-1587.patch |   37 ++++++++++++
 patches/CVE-2011-4360.patch |   31 ++++++++++
 patches/CVE-2011-4361.patch |   35 +++++++++++
 patches/series              |    6 +
 8 files changed, 405 insertions(+)

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
[mw_lenny9.diff (text/x-diff, attachment)]
[mw_squeeze2.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#650434; Package mediawiki. (Sun, 18 Dec 2011 19:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Sun, 18 Dec 2011 19:51:03 GMT) Full text and rfc822 format available.

Message #37 received at 650434@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Jonathan Wiltshire <jmw@debian.org>
Cc: team@security.debian.org, 650434@bugs.debian.org
Subject: Re: Bug#650434: mediawiki: two security issues (fixed in 1.17.1)
Date: Sun, 18 Dec 2011 20:48:24 +0100
On Sun, Dec 18, 2011 at 04:34:51PM +0000, Jonathan Wiltshire wrote:
> On Tue, Dec 06, 2011 at 08:01:18PM +0100, Moritz Muehlenhoff wrote:
> > What's the status of the following for stable?
> > http://security-tracker.debian.org/tracker/CVE-2011-1578
> > http://security-tracker.debian.org/tracker/CVE-2011-1579
> > http://security-tracker.debian.org/tracker/CVE-2011-1580
> > 
> > Otherwise, please upload. You can allocate the DSA ID yourself by running
> > bin/gen-DSA as outlined here and commit the new blob in data/DSA/list:
> > http://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecSecr
> 
> New diffs attached, please review.

Please upload to security-master

Cheers,
        Moritz




Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Tue, 20 Dec 2011 01:57:04 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Tue, 20 Dec 2011 01:57:04 GMT) Full text and rfc822 format available.

Message #42 received at 650434-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 650434-close@bugs.debian.org
Subject: Bug#650434: fixed in mediawiki 1:1.12.0-2lenny9
Date: Tue, 20 Dec 2011 01:54:50 +0000
Source: mediawiki
Source-Version: 1:1.12.0-2lenny9

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.12.0-2lenny9_amd64.deb
  to main/m/mediawiki/mediawiki-math_1.12.0-2lenny9_amd64.deb
mediawiki_1.12.0-2lenny9.diff.gz
  to main/m/mediawiki/mediawiki_1.12.0-2lenny9.diff.gz
mediawiki_1.12.0-2lenny9.dsc
  to main/m/mediawiki/mediawiki_1.12.0-2lenny9.dsc
mediawiki_1.12.0-2lenny9_all.deb
  to main/m/mediawiki/mediawiki_1.12.0-2lenny9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Dec 2011 23:19:40 +0000
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.12.0-2lenny9
Distribution: oldstable-security
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 650434
Changes: 
 mediawiki (1:1.12.0-2lenny9) oldstable-security; urgency=low
 .
   * Security fixes from upstream (Closes: #650434):
     CVE-2011-4360 - page titles on private wikis could be exposed
     bypassing different page ids to index.php
     CVE-2011-4361 - action=ajax requests were dispatched to the
     relevant function without any read permission checks being done
     CVE-2011-1578 - XSS for IE <= 6
     CVE-2011-1579 - CSS validation error in wikitext parser
     CVE-2011-1580 - access control checks on transwiki import feature
     CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
Checksums-Sha1: 
 5865bc011fc1095fa78bac7bddd0c6488992eade 1895 mediawiki_1.12.0-2lenny9.dsc
 8cd9cdf675913e9fed1b2a3796176d9bc3f8d577 73638 mediawiki_1.12.0-2lenny9.diff.gz
 f5c84b2b0aad8907c6002d8ddf77ae1636337643 7231350 mediawiki_1.12.0-2lenny9_all.deb
 729adfd860f8d85bc11100dd71d25068994ae1e5 157926 mediawiki-math_1.12.0-2lenny9_amd64.deb
Checksums-Sha256: 
 d675dc32841de0dfec738ae3282e3cc621f23659a5115776540d565977ae4857 1895 mediawiki_1.12.0-2lenny9.dsc
 6451c6d1b4212bd95b74e33aaaf8251b6e9eb370e7c17133fa19a326b7de5032 73638 mediawiki_1.12.0-2lenny9.diff.gz
 5750a8c318dd8bb0f55d1c0e6483ad34531cafcb99fbd8d3e82da71a9f4ba7a4 7231350 mediawiki_1.12.0-2lenny9_all.deb
 4094da7ab23827836c109d770f2ff93c49538d0a419fac81627355d248c80447 157926 mediawiki-math_1.12.0-2lenny9_amd64.deb
Files: 
 8ed9208eacb07476c37e99f050d6d254 1895 web optional mediawiki_1.12.0-2lenny9.dsc
 33c029bce8be2b7b2c9c305d0a310b54 73638 web optional mediawiki_1.12.0-2lenny9.diff.gz
 e43455d71cbc095aee96c6f518c8f78e 7231350 web optional mediawiki_1.12.0-2lenny9_all.deb
 80569a9c31c0e73616a97b1c5c128eda 157926 web optional mediawiki-math_1.12.0-2lenny9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJO7nY8AAoJEFOUR53TUkxRoPgP/j0hrNjF2I51x8GTM3qUSTF4
NhOvmi2CjuqAdKG6ZnfL+PXohRZiC5+MEQF16QRzhjXO7rmd8Xbxzpbibw47r+2k
LWKFyQVsSorXcaVk7RuC71WfDxnMkjoZmKY5NTbQIWuaPpHqEbtPkL1YyvXn6Z30
uyj3bdHd/31OMz5f2MEKj5UMAHw01fhGh0pV+O4gZahv8g7u8vfaT7p/MMalb0Vc
Lbbjq2Vg7BoGbagJQogbdKrmSmAIocUZ13tGL5oB4g+M6mEbH1jWZDoODgYMHXl1
XKiK53znsjXqBA9k5/ImwggC1VxPeAK5C1Pv8f+nhoKv396qnFLF04wPIyPZgtzH
91IwfKt7+DYm59xm1QtufwhPUdcO6mAZ4WPGswWiyKBJo1izV292u5TlCGcyZCi1
O+pQABdhNVexLL7TSh3pKP9OhcuoeXwzbVWveYPeBCJQHX3NCTWvtzp7Y1pxCBqs
yAMYAzUKIphaBxiq8czjrCHkmdaQJ291gaEVBdq5XVStQaBTmK0fOpvysUg3t/8I
Wl5EiQ3acOxLrU84LZuQNzoCb4UoD3tF42dyPFVZywkpXtzh/CvoSuMkWeaneqe+
zIpguHPhrkG30zTko6oFmh78WWkGH2Z5CrvRgvREM8X3hOk8LWw67Y9K4TARhUg0
52l0SWCA8OVuWJYkSGLi
=RNKA
-----END PGP SIGNATURE-----





Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Wed, 21 Dec 2011 01:57:04 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Wed, 21 Dec 2011 01:57:04 GMT) Full text and rfc822 format available.

Message #47 received at 650434-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 650434-close@bugs.debian.org
Subject: Bug#650434: fixed in mediawiki 1:1.15.5-2squeeze2
Date: Wed, 21 Dec 2011 01:55:39 +0000
Source: mediawiki
Source-Version: 1:1.15.5-2squeeze2

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.15.5-2squeeze2_amd64.deb
  to main/m/mediawiki/mediawiki-math_1.15.5-2squeeze2_amd64.deb
mediawiki_1.15.5-2squeeze2.debian.tar.gz
  to main/m/mediawiki/mediawiki_1.15.5-2squeeze2.debian.tar.gz
mediawiki_1.15.5-2squeeze2.dsc
  to main/m/mediawiki/mediawiki_1.15.5-2squeeze2.dsc
mediawiki_1.15.5-2squeeze2_all.deb
  to main/m/mediawiki/mediawiki_1.15.5-2squeeze2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Dec 2011 23:17:47 +0000
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.15.5-2squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 650434
Changes: 
 mediawiki (1:1.15.5-2squeeze2) stable-security; urgency=low
 .
   * Security fixes from upstream (Closes: #650434):
     CVE-2011-4360 - page titles on private wikis could be exposed
     bypassing different page ids to index.php
     CVE-2011-4361 - action=ajax requests were dispatched to the
     relevant function without any read permission checks being done
     CVE-2011-1578 - XSS for IE <= 6
     CVE-2011-1579 - CSS validation error in wikitext parser
     CVE-2011-1580 - access control checks on transwiki import feature
     CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
Checksums-Sha1: 
 6eec96a999fa6bcac790ffec4af4733dde62211b 2091 mediawiki_1.15.5-2squeeze2.dsc
 e850974e953145db159802636d6b674bbc3e00d4 41980 mediawiki_1.15.5-2squeeze2.debian.tar.gz
 d3828fa4fefaf34e90b6d16ad8433c6c88487d9e 11717010 mediawiki_1.15.5-2squeeze2_all.deb
 d828430ca3f11e6dee5918e73bc6ca5f6a0a1f74 319380 mediawiki-math_1.15.5-2squeeze2_amd64.deb
Checksums-Sha256: 
 67d0e35865778e68ba67b76443cbeb100b7dbba338d5cbdda56a064493cd9945 2091 mediawiki_1.15.5-2squeeze2.dsc
 405a3bedf088e61ecc27b3bba7e944ae985091a70a47c447276684f4212f26ce 41980 mediawiki_1.15.5-2squeeze2.debian.tar.gz
 b017094a155fcd715806310f7039f29c83e72de195bcab7cb464d1840abcab07 11717010 mediawiki_1.15.5-2squeeze2_all.deb
 b31ceb74880c589a223d3fa94603bfd9ec2c35dd211571e4e42d74a01f9a1d88 319380 mediawiki-math_1.15.5-2squeeze2_amd64.deb
Files: 
 1c8c81d53be050e3494dda44eb95e6d9 2091 web optional mediawiki_1.15.5-2squeeze2.dsc
 ebce77dc776a1e7adb4bf9dc68389620 41980 web optional mediawiki_1.15.5-2squeeze2.debian.tar.gz
 a60185adf6d57748279f354f92bb48b5 11717010 web optional mediawiki_1.15.5-2squeeze2_all.deb
 2ac70db4a8642556ec340f18e613a1d1 319380 web optional mediawiki-math_1.15.5-2squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJO7nYaAAoJEFOUR53TUkxRvswP/1zWG+Jq08h8MVJtga2CdiU6
8mimDwDLbaZ2mpXSdt1QtzKMni6pCMNMRjVxu8R12Kqg1gKAHUElksyyDJ4urSb9
GvcaD3Kz55f6RI6fyYwI2XOC0DfZcvf0Vqyf9Di0hwqvZ9OZW7OVZ0B5AOLXjh9p
6dD8JwTWSRDYzuRKmcUS1H4YgcnNY5NNXfXQGozS147C1OPlD2xS3ySY1sRGhcGz
VC3dHtsU16aLDNZUieIB0XPMB+RmrjmFN3uIFdBPjESrrkbJwQjJFMRCxrrFTtGd
x8IGO1J+moc6tIthVq3YTqJiH+00W/XtoLgoAYvdZnCDslPYyENbqx4vnQaN8Rug
x0xm3dU3CRM+LvqN7uInpf+yK9XmwMH+aqfexU9BqFINcfCYwUDljlLYUfELdWVi
EjZIvcR9hf4TAT5tjbc2libbrOWD5pYzKJJ/SJv/6/4yxQIwjwjg6pbUP2Sbizff
Gz9YghokUKSTVFALaz4yn12sWlyf3rBPE7dkSU519caAP0ju2hiVT+v5NGnxwL6W
JhMRPoOFVLDOC0Wu1Xvd7gMu31Ae0oWeKpjY1wZyVJoNIC/KOJgaT/gSGoJWjfi3
mhLuDZUuY/cbG+bj1I2HTHaZ7kopfDf0ehA7np30+gTndkdXe2wOkRkFLHtQ5jzG
g9o6TPJoLMCvcvYGBH++
=ewaM
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Jan 2012 07:34:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 18:48:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.