Your message dated Wed, 28 Jul 2010 13:47:17 +0000
with message-id <e1oe6yb-0002ng...@franck.debian.org>
and subject line Bug#590669: fixed in mediawiki 1:1.15.5-1
has caused the Debian Bug report #590669,
regarding mediawiki: XSS vulnerability in profileinfo.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
590669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590669
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mediawiki
Version: 1:1.15.4-2
Severity: serious
Tags: security upstream
Justification: user security hole, when default changed by local admin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- From
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html:
A cross-site scripting (XSS) vulnerability was discovered in
profileinfo.php. The vulnerability is only exposed when the script is
explicitly enabled in LocalSettings.php, with $wgEnableProfileInfo = true.
- -- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages mediawiki depends on:
ii apache2 2.2.16-1 Apache HTTP Server metapackage
ii apache2-mpm-prefork [httpd] 2.2.16-1 Apache HTTP Server - traditional n
ii debconf [debconf-2.0] 1.5.33 Debian configuration management sy
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii php5 5.3.2-2 server-side, HTML-embedded scripti
ii php5-mysql 5.3.2-2 MySQL module for php5
ii php5-pgsql 5.3.2-2 PostgreSQL module for php5
Versions of packages mediawiki recommends:
ii mysql-server 5.1.48-1 MySQL database server (metapackage
ii mysql-server-5.1 [mysql-serve 5.1.48-1 MySQL database server binaries and
ii php5-cli 5.3.2-2 command-line interpreter for the p
Versions of packages mediawiki suggests:
ii clamav 0.96.1+dfsg-3 anti-virus utility for Unix - comm
ii imagemagick 7:6.6.2.6-1 image manipulation programs
pn mediawiki-math <none> (no description available)
pn memcached <none> (no description available)
ii php5-gd 5.3.2-2 GD module for php5
- -- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJMUA2OAAoJEFOUR53TUkxR2bIP/1VZO1Vfj69Qt9bw0nJRa5OS
4SP6JbaFdm9GXyq1Se2IL+bMNztggFlUjx06DUSgkJWc47PHQEhhbJbMz6cGmWlv
Tx89sh+6QUOk0vaPUdRC68bqrW35M5iKSnYN45XmsUmr2CFvi96vmhAJ5//P26di
Z5aiwSbqJfrQEqQiMvz8FDu6pUnI3Im+uYESs5JnM7WZkwYSU4+Sq5SLKSdzNp71
8yHkUF01zYXiidGAIf/hRYocFM4aLlB9rumZHyibeSrM1znCUmpCuXHGLPurffp/
ha6sDEkjNJiW/lJLxTAwaf67Ug9QJ6T/2TZktszZkGmjoxY2VK/kQsNSuGLWixp+
DWQGhLh3sHG63RdlPevTL+Lk1QKklFlCH4ueN5zvIP70cW+x8m8DHWFnDFDcKPhB
TQ0XFS8BCRXrEztYO2sIbuBEVoDfRKnfHb8TGq6ngLBVAS04X4iugfCxXfwuYt8G
c2KI+M1WQq2HLZ+kBysUjhYk0VVgDSxSA9YM1rVoaGQakZ4nFMgtUz8s2YnNeFzR
sGAcwUAN6pzXx6BGUnBp8VrVN5coy3YZUq8ALoh0hMmxhj2nn8kt/0+wnH3Oz3o8
PskYswVLzS5mvUFXCrgdrhrQlK+3Z4j06a/uHnfPkRYLCUgEQVBADJQGJFoSufaP
2KGvL+/tSafQ9A4pUNVl
=yj3S
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: mediawiki
Source-Version: 1:1.15.5-1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.15.5-1_i386.deb
to main/m/mediawiki/mediawiki-math_1.15.5-1_i386.deb
mediawiki_1.15.5-1.debian.tar.gz
to main/m/mediawiki/mediawiki_1.15.5-1.debian.tar.gz
mediawiki_1.15.5-1.dsc
to main/m/mediawiki/mediawiki_1.15.5-1.dsc
mediawiki_1.15.5-1_all.deb
to main/m/mediawiki/mediawiki_1.15.5-1_all.deb
mediawiki_1.15.5.orig.tar.gz
to main/m/mediawiki/mediawiki_1.15.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 590...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <deb...@jwiltshire.org.uk> (supplier of updated mediawiki
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Wed, 28 Jul 2010 12:23:04 +0100
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all i386
Version: 1:1.15.5-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team
<pkg-mediawiki-de...@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <deb...@jwiltshire.org.uk>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 590660 590669
Changes:
mediawiki (1:1.15.5-1) unstable; urgency=high
.
[ Thorsten Glaser ]
* debian/patches/suppress_warnings.patch: new, suppress warnings
about session_start() being called twice also in the PHP error
log, not just MediaWiki’s, for example run from FusionForge
.
[ Jonathan Wiltshire ]
* New upstream security release:
- correctly set caching headers to prevent private data leakage
(closes: #590660, LP: #610782)
- fix XSS vulnerability in profileinfo.php
(closes: #590669, LP: #610819)
Checksums-Sha1:
f41f629197929384c50da1871d6c566ad5da2115 2049 mediawiki_1.15.5-1.dsc
b157fe37bb89c78e5ffa0f27b14beb886db3a5f4 11595008 mediawiki_1.15.5.orig.tar.gz
c02e4ae0d9959ca1ca61f0de2813ddf597ceeb04 34517 mediawiki_1.15.5-1.debian.tar.gz
28cb5025e565aa88b4796ce866cc054cd3e972d7 11715442 mediawiki_1.15.5-1_all.deb
b11a75b14e038e9c4968f4bfbedaa1af92841f3c 282130
mediawiki-math_1.15.5-1_i386.deb
Checksums-Sha256:
8472862d6c0b3e1599061c747f2b2687a26138fff76f17d82f7bf6c0b00429a1 2049
mediawiki_1.15.5-1.dsc
f838c94af81e018dcf11f77674d2a363e97b8832d0d66416294fd301db720ab5 11595008
mediawiki_1.15.5.orig.tar.gz
51ada8022e17baea0e284ee20792f8ed735e131f47bc7e2413b32778b77a45f7 34517
mediawiki_1.15.5-1.debian.tar.gz
44ae005a15e28ed52d7c2ec67682108a78db07e4ca407518127ec75dc3f77827 11715442
mediawiki_1.15.5-1_all.deb
7420dd8f3ffc10ee3f24a591aed9f59bd14e7996e2dcc90e398f2063e805ec0c 282130
mediawiki-math_1.15.5-1_i386.deb
Files:
8a86fe456ac09165080969c25572b133 2049 web optional mediawiki_1.15.5-1.dsc
01c4c85fb96991d962c8acb3d892ec2d 11595008 web optional
mediawiki_1.15.5.orig.tar.gz
c7bc284dbda0d93e073327dc73369467 34517 web optional
mediawiki_1.15.5-1.debian.tar.gz
93c3da1d795bdee8a229cf4d4163b119 11715442 web optional
mediawiki_1.15.5-1_all.deb
3bea785c5dcf9974644ab98510fd12b3 282130 web optional
mediawiki-math_1.15.5-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MirBSD)
iQIVAwUBTFAy9Xa1NLLpkAfgAQnvmQ/+Nhn4nsfXrO54kr2+atVZ5tEY5TpY4MtJ
KWPy5A9li7knK//M0jrJPDpm9wSGA2MZyBwMAWJnY1tvwvO+aN0PaRMh3FfQwQ4i
Jgj9LwwuaVKl6uIri/BHI8OUXzl8nnzTqL4ZDh4athaZI7al0pGEYLjlJ1Zr99vv
lozk0LokydmMMV4WamyjqEHKtZwHxpbyJ8YrSGD6V01O7fo3O6a61YPEuNvMG9ro
tga6AXBvFHkgPa8D24rbSoeKVWI8ZEauOorM38DgUkv8YRENl8I1IKbRNsRNRNa/
+zdeYroMTJkoMc6L+3/lRa6sgS6YxC5l691+iPB0bVwlTf73D6DzKVMq/6qQh5jG
72Sv57TNDFMw/kWRbMk8LQYDxoKo78zMG1sDOKVkKb2TognXQuRaYgpE0BB1G47l
q/7ZMzzn2s/BfpbVu/tBFzP/NX0uqnP6xpU82A5OdtelDCk3WLxnsjyI8eJXnUSe
kWDn/Qo7aRMsKXBHWoOwO5/YWhnYIXtfnc21eQGA88A5apn08v8KUan/sQpUykgZ
By2+ZyLdbcu2AsyCuemQZ3B+e71ARYPHsld5xVbJO2CGN14mEoAobCsEHtmv2d65
25KUrfL2EIqSzoMNmSwZ8xhbg9O+QUtSQHAahZ/YFGaSC5DZcJiQ9yrmnsJ+oh37
XEel2G1jq2o=
=aS4D
-----END PGP SIGNATURE-----
--- End Message ---
