Your message dated Sun, 19 Dec 2010 13:56:37 +0000
with message-id <e1pujkb-0003j9...@franck.debian.org>
and subject line Bug#590669: fixed in mediawiki 1:1.12.0-2lenny6
has caused the Debian Bug report #590669,
regarding mediawiki: XSS vulnerability in profileinfo.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
590669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590669
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mediawiki
Version: 1:1.15.4-2
Severity: serious
Tags: security upstream
Justification: user security hole, when default changed by local admin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- From
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html:
A cross-site scripting (XSS) vulnerability was discovered in
profileinfo.php. The vulnerability is only exposed when the script is
explicitly enabled in LocalSettings.php, with $wgEnableProfileInfo = true.
- -- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages mediawiki depends on:
ii apache2 2.2.16-1 Apache HTTP Server metapackage
ii apache2-mpm-prefork [httpd] 2.2.16-1 Apache HTTP Server - traditional n
ii debconf [debconf-2.0] 1.5.33 Debian configuration management sy
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii php5 5.3.2-2 server-side, HTML-embedded scripti
ii php5-mysql 5.3.2-2 MySQL module for php5
ii php5-pgsql 5.3.2-2 PostgreSQL module for php5
Versions of packages mediawiki recommends:
ii mysql-server 5.1.48-1 MySQL database server (metapackage
ii mysql-server-5.1 [mysql-serve 5.1.48-1 MySQL database server binaries and
ii php5-cli 5.3.2-2 command-line interpreter for the p
Versions of packages mediawiki suggests:
ii clamav 0.96.1+dfsg-3 anti-virus utility for Unix - comm
ii imagemagick 7:6.6.2.6-1 image manipulation programs
pn mediawiki-math <none> (no description available)
pn memcached <none> (no description available)
ii php5-gd 5.3.2-2 GD module for php5
- -- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJMUA2OAAoJEFOUR53TUkxR2bIP/1VZO1Vfj69Qt9bw0nJRa5OS
4SP6JbaFdm9GXyq1Se2IL+bMNztggFlUjx06DUSgkJWc47PHQEhhbJbMz6cGmWlv
Tx89sh+6QUOk0vaPUdRC68bqrW35M5iKSnYN45XmsUmr2CFvi96vmhAJ5//P26di
Z5aiwSbqJfrQEqQiMvz8FDu6pUnI3Im+uYESs5JnM7WZkwYSU4+Sq5SLKSdzNp71
8yHkUF01zYXiidGAIf/hRYocFM4aLlB9rumZHyibeSrM1znCUmpCuXHGLPurffp/
ha6sDEkjNJiW/lJLxTAwaf67Ug9QJ6T/2TZktszZkGmjoxY2VK/kQsNSuGLWixp+
DWQGhLh3sHG63RdlPevTL+Lk1QKklFlCH4ueN5zvIP70cW+x8m8DHWFnDFDcKPhB
TQ0XFS8BCRXrEztYO2sIbuBEVoDfRKnfHb8TGq6ngLBVAS04X4iugfCxXfwuYt8G
c2KI+M1WQq2HLZ+kBysUjhYk0VVgDSxSA9YM1rVoaGQakZ4nFMgtUz8s2YnNeFzR
sGAcwUAN6pzXx6BGUnBp8VrVN5coy3YZUq8ALoh0hMmxhj2nn8kt/0+wnH3Oz3o8
PskYswVLzS5mvUFXCrgdrhrQlK+3Z4j06a/uHnfPkRYLCUgEQVBADJQGJFoSufaP
2KGvL+/tSafQ9A4pUNVl
=yj3S
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: mediawiki
Source-Version: 1:1.12.0-2lenny6
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.12.0-2lenny6_amd64.deb
to main/m/mediawiki/mediawiki-math_1.12.0-2lenny6_amd64.deb
mediawiki_1.12.0-2lenny6.diff.gz
to main/m/mediawiki/mediawiki_1.12.0-2lenny6.diff.gz
mediawiki_1.12.0-2lenny6.dsc
to main/m/mediawiki/mediawiki_1.12.0-2lenny6.dsc
mediawiki_1.12.0-2lenny6_all.deb
to main/m/mediawiki/mediawiki_1.12.0-2lenny6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 590...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 17 Dec 2010 23:32:46 +0000
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.12.0-2lenny6
Distribution: stable
Urgency: high
Maintainer: Mediawiki Maintenance Team
<pkg-mediawiki-de...@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 585918 590669 591382
Changes:
mediawiki (1:1.12.0-2lenny6) stable; urgency=high
.
* Stable upload. Closes: #591382
* Fixed CSRF vulnerability in "e-mail me my password",
"create account" and "create by e-mail" features of
[[Special:Userlogin]]. CVE-2010-1648
* Fixed XSS vulnerability affecting IE clients only, due to a CSS
validation issue. CVE-2010-1647 (Closes: #585918)
* Fixed an XSS vulnerability in profileinfo.php for installations
with $wgEnableProfileInfo = true (false by default) (Closes: #590669)
Checksums-Sha1:
43a4da5649c6c60d8a392b98907696b899e3cfe2 1895 mediawiki_1.12.0-2lenny6.dsc
8cae2ed164a5b7c34c89ded43b7c76d05afe306c 67414 mediawiki_1.12.0-2lenny6.diff.gz
67a704f6debb1d31bc4dd5e99fc540a2396868e7 7229428
mediawiki_1.12.0-2lenny6_all.deb
c4d033013401861242b45480e220c60445fc69c6 157458
mediawiki-math_1.12.0-2lenny6_amd64.deb
Checksums-Sha256:
3522e51eff5c8881809564398ee1bb5b9fc54db786fb5d51f087f35f38cfec63 1895
mediawiki_1.12.0-2lenny6.dsc
d3fed631d4f4e6d92c6c7a598481e575cc4fe8c2a7157b9a0cbb44e9bbd66c04 67414
mediawiki_1.12.0-2lenny6.diff.gz
2d3db39ce7925fc6c78ec8921900ad99788b7cdf0b1bf63e7e2f93354063a90d 7229428
mediawiki_1.12.0-2lenny6_all.deb
e3a908fdd9535be5a615090c1b77993896e321de92409ef504925db47317784c 157458
mediawiki-math_1.12.0-2lenny6_amd64.deb
Files:
90dc6f497eba201a970141c53427d68c 1895 web optional mediawiki_1.12.0-2lenny6.dsc
fc840b059b2785ff1f38a03b0d93cbbb 67414 web optional
mediawiki_1.12.0-2lenny6.diff.gz
1e5a3ee0354b601cd13e5b6bd87db6c0 7229428 web optional
mediawiki_1.12.0-2lenny6_all.deb
f0cee15142a92b3af49184883f26c7e0 157458 web optional
mediawiki-math_1.12.0-2lenny6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNC/qPAAoJEFOUR53TUkxR2o4P/iIDvnFeo/yt0MOX+11W2mXh
aMgPgmGUU9sCikyy5moKmIejYV+KYCw7tjIEEem7DaK3RUyDecVggzeyC7oG8yt9
5g67opT2usok9Lo3ereFMYEWZLk0arv0exa9iCRrZjwgPXu25yWcEfPQNYOBjYnJ
m1je7k+IQpdT3nEJv05UPAndCGtGk0YEjTpd/GPYWSGptUYqjQcGEl8qXQANt050
486g/ZT3ND5RaByxVbOiGORVEMUoI7hmYY7hs3x/lWk5PfBX9nZKZQK7wmEqSq7s
7inP9d6MPDwjaq4hG4xfiHOGRrqHlEzHtOuXu81553aNdMUcryPEiPfMPJKp8MXj
FSwtFd9Uz3URskU8gRwiQ33hkxlNh0BCG2COhm6tuHFmsJZjuEkpJvssT8I++82C
zzCmwHbvc+RSqgQRm0XfhDTqudrythLFjAI/ZMUKZyvk3xkgNlWq1AsaatYVK3M3
A799Ad4YQNcIcmd/8Nv42J+kVt/uq3xZzzBYJ4blqJVL9a2xYs3lx4S9Q9tMSr+y
fwLjzV7BKNsd0jHqWL/Bp+htRuEpyJOl68kxtEGZCbXQfjl6CARwzuj7C/2rvlJ3
cjbIMDd75kOtpgt0bNgh0jSSik4OUCqtpPLgY6WOQTjoEFsnPNgGshcuETdsRjOM
QsizlKK9fxuM94zWplB2
=4BtY
-----END PGP SIGNATURE-----
--- End Message ---
