Bug#702305: marked as done (mediawiki: API action 'unblock' returns a full user object)

Mon, 04 Mar 2013 15:36:16 -0800 

Your message dated Mon, 04 Mar 2013 23:32:47 +0000
with message-id <e1ucesb-0005d6...@franck.debian.org>
and subject line Bug#702305: fixed in mediawiki 1:1.19.4-1
has caused the Debian Bug report #702305,
regarding mediawiki: API action 'unblock' returns a full user object
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
702305: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702305
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: mediawiki
Version: 1:1.19.3-2
Severity: grave
Tags: security upstream fixed-upstream
Justification: security; information disclosure including password hashes
Forwarded: https://bugzilla.wikimedia.org/show_bug.cgi?id=43518

The unblock API discloses full user details to anyone who has the right
to use it. This includes hashed passwords, amongst other things.

The problem is apparently introduced in r83855 and at this stage, I do not
believe it affects stable, though I would not be confident enough to be sure
yet.

sid/wheezy are easily fixed with the new upstream, which I am preparing.



-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mediawiki depends on:
ii  apache2                      2.2.22-12
ii  apache2-mpm-prefork [httpd]  2.2.22-12
ii  debconf [debconf-2.0]        1.5.49
pn  libjs-jquery                 <none>
ii  libjs-jquery-cookie          6-1
ii  libjs-jquery-form            6-1
ii  libjs-jquery-tipsy           6-1
ii  mime-support                 3.52-1
ii  php5                         5.4.4-13
ii  php5-mysql                   5.4.4-13
ii  php5-pgsql                   5.4.4-13

Versions of packages mediawiki recommends:
ii  mediawiki-extensions-base  2.11
ii  mysql-server               5.5.28+dfsg-1
ii  php-wikidiff2              0.0.1+svn109581-1
ii  php5-cli                   5.4.4-13
ii  python                     2.7.3-4

Versions of packages mediawiki suggests:
ii  clamav          0.97.6+dfsg-1
ii  imagemagick     8:6.7.7.10-5
pn  mediawiki-math  <none>
pn  memcached       <none>
ii  php5-gd         5.4.4-13

-- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: mediawiki
Source-Version: 1:1.19.4-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 04 Mar 2013 23:06:30 +0000
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.4-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team 
<pkg-mediawiki-de...@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description: 
 mediawiki  - website engine for collaborative work
Closes: 702305
Changes: 
 mediawiki (1:1.19.4-1) unstable; urgency=high
 .
   * Urgency high for security fix
   * New upstream release:
     - New preference type - 'api'. Preferences of this type are not shown
       on Special:Preferences, but are still available via the
       action=options API.
     - (bug 44010) Context is passed to UserGetLanguageObject.
     - The recursion guard on RequestContext::getLanguage() was weakened.
     - (bug 44135/bug 42441) Pass '2' instead of 'true' to 
CURLOPT_SSL_VERIFYHOST
     - (bug 43518) API action=unblock should return the user name, not the
       full user object (Closes: #702305)
     - Increase timeout values for some tests
Checksums-Sha1: 
 1cad1bff8eb5468fdbb183bd95e39c5edff7b461 2096 mediawiki_1.19.4-1.dsc
 348083fa4ccf2e92bb4874b1cdb0e458075a07d8 18536768 mediawiki_1.19.4.orig.tar.gz
 7d4d6ba61350fe5005310e9800daef4bd24d121f 38611 mediawiki_1.19.4-1.debian.tar.gz
 e5272126e231068a0ab2c4be5bbb5a6aece02af3 17734238 mediawiki_1.19.4-1_all.deb
Checksums-Sha256: 
 2d87b3f678eb27af5a9ec34c7bd9112200bd7f3e2320758531fb89d0602de766 2096 
mediawiki_1.19.4-1.dsc
 8dab7fe082aeb1d363e69db7e0ad1e234b01955f92606540a4132596ea47e776 18536768 
mediawiki_1.19.4.orig.tar.gz
 d78a6f4c63dec427af95d42f563e5f3b00c19639ca758bdaa11298f6af693e85 38611 
mediawiki_1.19.4-1.debian.tar.gz
 7f3b45ded7141211e67f4b4396df2c25b126468e1edf1d6590198e3dcd1333de 17734238 
mediawiki_1.19.4-1_all.deb
Files: 
 ca4edb4be7807851b31c3bca160abdf0 2096 web optional mediawiki_1.19.4-1.dsc
 983007bdf1df85c110666e2b59b41a96 18536768 web optional 
mediawiki_1.19.4.orig.tar.gz
 d2e82c2724530f04d94ee7e1978ac911 38611 web optional 
mediawiki_1.19.4-1.debian.tar.gz
 186ed2bc783c5db4ecf9ee773dc9043b 17734238 web optional 
mediawiki_1.19.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRNSkYAAoJEFC7AtTIpr9hsyMQAIvlirhmmh2x4l+Xsg9dzDvc
W1KOsHYQNeU/nx2lpYtRT0h0AWcpoiSrNS1+gpje/dv/X9A3Ew+mbIrFyVFfBsiM
bP4TdBlvNQnLXdHVF4tNMqtQQbfclsUapITg6VuTd1ujSWgZB46fuvqG9VfWj1jI
qg1H5FXwV+mwrOpRiORJVY0q5YEYca1Mo+k4QpxPBphmC5S12jjIzAoq9S30jP1g
i2QAmw9WtsgaiyaV4jTFUxI8Yo4JmLsPkq2ES6+6lYkKlxor29D+u4m+IBu22d8R
0BemdCdqOU1bDFm53YqQqKi1yDGhWfNySJb6AYw8HNojg9jSQJEha8U5b3h2bqsI
agf7R4IQ3fVL1vBsIPcq/t9aiLBiD9ozinHntNpUDltZFQszhyTpN+b1+eTRIQ7g
uw5GwV8DugeJBTCZKM3cvW2L6uUDucpWtL1/QMfQklExlnL9OrTizY/IKl14rGRD
FX+flOC8QvMJQ6Bi0J/+NtsUGqItuXtb37BoMO1mkQ3nbUmhwa2r1lNMiJM9pbrr
RBcW5XwgoWGCSc9sC4qQgnsHNn7F2QYgEdN1/YhiI2Swr8lpN5l7YcPhyRYNEytv
Un7oWECu3+vMARfGXdaHof24zIMPA7gG6JR3wsc/+jIWw75HrQ329cIiX7r1acMt
7LkZc65JU6xv6nek+oXM
=yjlx
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to