Bug#332408: marked as done (mediawiki: Multiple vulnerabilities in Mediawiki)

Thu, 06 Oct 2005 16:33:31 -0700 

Your message dated Thu, 06 Oct 2005 16:17:07 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#332408: fixed in mediawiki 1.4.11-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Oct 2005 09:36:37 +0000
>From [EMAIL PROTECTED] Thu Oct 06 02:36:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] 
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1ENSB2-0004ZZ-00; Thu, 06 Oct 2005 02:36:37 -0700
Received: from wlan-client-027.informatik.uni-bremen.de ([134.102.116.28] 
helo=localhost.localdomain)
        by vserver151.vserver151.serverflex.de with esmtpsa 
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1ENSAy-0007PK-BP
        for [EMAIL PROTECTED]; Thu, 06 Oct 2005 11:36:32 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.53)
        id 1ENSC0-00025F-0F; Thu, 06 Oct 2005 11:37:36 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: mediawiki: Multiple vulnerabilities in Mediawiki
X-Mailer: reportbug 3.17
Date: Thu, 06 Oct 2005 11:37:35 +0200
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.116.28
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: mediawiki
Severity: grave
Tags: security
Justification: user security hole

1.4.11 fixes two security problems:

CAN-2005-3167:
Incomplete blacklist vulnerability in MediaWiki before 1.4.11 does not
properly remove certain CSS inputs (HTML inline style attributes) that
are processed as active content by Internet Explorer, which allows remote
attackers to conduct cross-site scripting (XSS) attacks.

CAN-2005-3166:
Unspecified vulnerability in "edit submission handling" for MediaWiki
1.4.x before 1.4.10 and 1.3.x before 1.3.16 allows remote attackers to
cause a denial of service (corruption of the previous submission) via a
crafted URL.                                                                    
     |

Please mention these CVE assignments when you provide a fixed package.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

---------------------------------------
Received: (at 332408-close) by bugs.debian.org; 6 Oct 2005 23:18:52 +0000
>From [EMAIL PROTECTED] Thu Oct 06 16:18:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1ENez5-0007lI-00; Thu, 06 Oct 2005 16:17:07 -0700
From: Romain Beauxis <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#332408: fixed in mediawiki 1.4.11-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 06 Oct 2005 16:17:07 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 9

Source: mediawiki
Source-Version: 1.4.11-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.4.11-1_i386.deb
  to pool/main/m/mediawiki/mediawiki-math_1.4.11-1_i386.deb
mediawiki_1.4.11-1.diff.gz
  to pool/main/m/mediawiki/mediawiki_1.4.11-1.diff.gz
mediawiki_1.4.11-1.dsc
  to pool/main/m/mediawiki/mediawiki_1.4.11-1.dsc
mediawiki_1.4.11-1_all.deb
  to pool/main/m/mediawiki/mediawiki_1.4.11-1_all.deb
mediawiki_1.4.11.orig.tar.gz
  to pool/main/m/mediawiki/mediawiki_1.4.11.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <[EMAIL PROTECTED]> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  6 Oct 2005 13:13:25 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all i386
Version: 1.4.11-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <[EMAIL PROTECTED]>
Changed-By: Romain Beauxis <[EMAIL PROTECTED]>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 330904 330905 331349 331417 331466 332024 332268 332405 332408
Changes: 
 mediawiki (1.4.11-1) unstable; urgency=high
 .
   * New upstream security release.
   * Fix for CAN-2005-3167 and CAN-2005-3166 in new upstream (Closes: #332408)
   * Added translations files. Thanks to all contributors! (Closes: #330904,
     #330905, #331349, #331466, #332405)
   * Corrected Maintainer name (Closes: #332268)
   * Added link to MediaWiki installation how-to and MediaWiki Editing Help
     in README.Debian (Closes: #331417)
   * Added dependy | debconf-2.0 (Closes: #332024)
   * Changed 'arch:any' for mediawiki-math: should only be built on arch
     where ocaml compiler is present.
Files: 
 78f330e484e1b3e82dd5b70d54039824 887 web optional mediawiki_1.4.11-1.dsc
 e70b6c6fbc0e6de522f72680176c3917 1982489 web optional 
mediawiki_1.4.11.orig.tar.gz
 65f330f1195b6abb214b0cdde31b32a2 9603 web optional mediawiki_1.4.11-1.diff.gz
 264af70f45cf98323405c82edfc3d8aa 1941332 web optional 
mediawiki_1.4.11-1_all.deb
 4009981b28ac8db56cfc5f69c62504e2 113378 web optional 
mediawiki-math_1.4.11-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDRapQsczZcpAmcIYRAp9vAJ4hOCqcOINn6q061twBod7Xb4IXaACgp4Ai
8Zv3RUEfC34Z14/LFhUB48Y=
=+W5F
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to