Debian Bug report logs -
#585918
mediawiki: XSS vulnerabilities, CVEs
Reported by: Jonathan Wiltshire <debian@jwiltshire.org.uk>
Date: Mon, 14 Jun 2010 21:09:02 UTC
Severity: normal
Tags: security
Found in version mediawiki/1:1.15.3-1
Fixed in version mediawiki/1:1.15.4-1
Done: Romain Beauxis <toots@rastageeks.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#585918; Package mediawiki.
(Mon, 14 Jun 2010 21:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <debian@jwiltshire.org.uk>:
New Bug report received and forwarded. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Mon, 14 Jun 2010 21:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mediawiki
Version: 1:1.15.3-1
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2010-1647:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and
1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script
or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as
script by Internet Explorer.
CVE-2010-1648:
Cross-site request forgery (CSRF) vulnerability in the login interface in
MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote
attackers to hijack the authentication of users for requests that (1) create
accounts or (2) reset passwords, related to the Special:Userlogin form.
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- -- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwWmVkACgkQymvqPtuAC1LsxACfVYbA2BRnuc6TaSBkhEHQUgrw
uvwAn3K8OJXhkB9hQtAUqPipjnnDEJFG
=tiJD
-----END PGP SIGNATURE-----
Reply sent
to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility.
(Mon, 21 Jun 2010 22:21:04 GMT) (full text, mbox, link).
Notification sent
to Jonathan Wiltshire <debian@jwiltshire.org.uk>:
Bug acknowledged by developer.
(Mon, 21 Jun 2010 22:21:04 GMT) (full text, mbox, link).
Message #10 received at 585918-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.15.4-1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.15.4-1_amd64.deb
to main/m/mediawiki/mediawiki-math_1.15.4-1_amd64.deb
mediawiki_1.15.4-1.diff.gz
to main/m/mediawiki/mediawiki_1.15.4-1.diff.gz
mediawiki_1.15.4-1.dsc
to main/m/mediawiki/mediawiki_1.15.4-1.dsc
mediawiki_1.15.4-1_all.deb
to main/m/mediawiki/mediawiki_1.15.4-1_all.deb
mediawiki_1.15.4.orig.tar.gz
to main/m/mediawiki/mediawiki_1.15.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 585918@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 21 Jun 2010 23:41:29 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.15.4-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 585918
Changes:
mediawiki (1:1.15.4-1) unstable; urgency=high
.
[ Jonathan Wiltshire ]
* New upstream security release (closes: #585918).
* CVE-2010-1647:
Fix a cross-site scripting (XSS) vulnerability which allows
remote attackers to inject arbitrary web script or HTML via crafted
Cascading Style Sheets (CSS) strings that are processed as script by
Internet Explorer.
* CVE-2010-1648:
Fix a cross-site request forgery (CSRF) vulnerability in the login interface
which allows remote attackers to hijack the authentication of users for
requests that (1) create accounts or (2) reset passwords, related to the
Special:Userlogin form.
.
[ Romain Beauxis ]
* Put debian's package version in declared version.
Should help sysadmins to keep track of installed
versions, in particular with regard to security
updates.
* Added Jonathan Wiltshire to uploaders.
* Do not clan math dir if it does not exist (for instance
when running clean from SVN).
Checksums-Sha1:
0d67c579c652e66ec9bf75aebc753a6babcf646d 1575 mediawiki_1.15.4-1.dsc
c00267663a0a05ace4bd28b53b0b3b0f08dad551 11531488 mediawiki_1.15.4.orig.tar.gz
e8b102ee8f22bc8aed7654bca156160574dc4f47 31335 mediawiki_1.15.4-1.diff.gz
c928bd3c48f88b4cd367a7376528b931d3427bf3 11648780 mediawiki_1.15.4-1_all.deb
4b0eec84e137daae3aa0a18c19cf69f306272a96 318432 mediawiki-math_1.15.4-1_amd64.deb
Checksums-Sha256:
2ae5b6dbcd2d1bb23c6c2b38a0b246ef476474e7333dcaacafd93ce92d46effb 1575 mediawiki_1.15.4-1.dsc
c9ef415f13efc6b450276d0e7d0d488f4a113bf9c999f411ebb12b0b693a8eae 11531488 mediawiki_1.15.4.orig.tar.gz
635e941adc932a099bd6582efc4c5c45ddc047003fd77ca16e7eebe994bc164a 31335 mediawiki_1.15.4-1.diff.gz
b721f411e5b7cb10b573a5e12b6d2f5e9ecf67b0f5fe14b4a1845ee0ab0c2f3c 11648780 mediawiki_1.15.4-1_all.deb
897d7774c79983e6a9980d1027c7f76b26f8ca17edfe7e011252f0b12d63f029 318432 mediawiki-math_1.15.4-1_amd64.deb
Files:
fd667b39e8099fb2494edc2fa89e2c9c 1575 web optional mediawiki_1.15.4-1.dsc
9c37dee8addc27b2051ee2eebc238b4d 11531488 web optional mediawiki_1.15.4.orig.tar.gz
82f80cee9c3d12a2abf3b9d2c697b04c 31335 web optional mediawiki_1.15.4-1.diff.gz
70ff246e9f003adce391f416ea15f079 11648780 web optional mediawiki_1.15.4-1_all.deb
0e300af2456bb9861df5d86525829609 318432 web optional mediawiki-math_1.15.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJMH9/TAAoJEAC5aaocqV0ZjqkH/A/J1vvt+w/VgmDfR/19V3FV
Gw7l3wgeePliAQ1rMFlb0T/q536ua13pkM5ki7ERQEsXtwQO6UK+w9twrVUlYXAd
adC8W3+3nRqNCaRbpYpeRpG4JIeCYZ9bRMCdxPnVK9UPxtHIpjwKUUudwJppUDXf
VD9AZqXxxCwyyQYxm6EnqQbmjko9DJaW4gVuCSSOGe6PMWOTYnZPOXq4rniu1yM4
IoLKP7TbJ5PaoeHIl11x4fOJJaV/BglP1WCLJYybdlH22cMzC59XNmYv//wkEzKo
aZQ/1GvDZXFO+kfOfg5AK6CK3DLo8Mx95gD2b4ZY+g45vmn9b768nMwYw7oeSZg=
=j1jf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 23 Jul 2010 07:31:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:04:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon