Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

mediawiki: Multiple security issues CVE-2012-4377,CVE-2012-4378,CVE-2012-4379,CVE-2012-4380,CVE-2012-4381,CVE-2012-4382

Related Vulnerabilities: CVE-2012-4377   CVE-2012-4378   CVE-2012-4379   CVE-2012-4380   CVE-2012-4381   CVE-2012-4382  

Source

Debian Bug report logs - #686330
mediawiki: Multiple security issues CVE-2012-4377,CVE-2012-4378,CVE-2012-4379,CVE-2012-4380,CVE-2012-4381,CVE-2012-4382

version graph

Package: mediawiki; Maintainer for mediawiki is Kunal Mehta <legoktm@debian.org>; Source for mediawiki is src:mediawiki (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 31 Aug 2012 08:30:01 UTC

Severity: grave

Tags: security

Fixed in version mediawiki/1:1.19.2-1

Done: Thorsten Glaser <tg@mirbsd.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#686330; Package mediawiki. (Fri, 31 Aug 2012 08:30:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Fri, 31 Aug 2012 08:30:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mediawiki: Multiple security issues
Date: Fri, 31 Aug 2012 10:23:43 +0200
Package: mediawiki
Severity: grave
Tags: security
Justification: user security hole

Please see here for more info:
http://www.gossamer-threads.com/lists/wiki/mediawiki/295767

No CVE IDs available yet.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#686330; Package mediawiki. (Fri, 31 Aug 2012 08:39:07 GMT) (full text, mbox, link).

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Fri, 31 Aug 2012 08:39:07 GMT) (full text, mbox, link).

Message #10 received at 686330@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>
To: 686330@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>, debian-release@lists.debian.org
Subject: Re: Bug#686330: mediawiki: Multiple security issues
Date: Fri, 31 Aug 2012 10:37:25 +0200 (CEST)
On Fri, 31 Aug 2012, Moritz Muehlenhoff wrote:

> Please see here for more info:
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767

Thanks.

The Release Notes say that 1.19.2 is a security-fix release,
and does not list any unrelated changes. Question is, (to the
more seasoned MW packagers) can we trust that, and (to the
Release Team) would it be acceptable to bump the upstream
version on that?

Thanks,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#686330; Package mediawiki. (Fri, 31 Aug 2012 16:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Fri, 31 Aug 2012 16:39:03 GMT) (full text, mbox, link).

Message #15 received at 686330@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>
To: Thorsten Glaser <t.glaser@tarent.de>
Cc: 686330@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>, debian-release@lists.debian.org
Subject: Re: Bug#686330: mediawiki: Multiple security issues
Date: Fri, 31 Aug 2012 18:34:38 +0200
[Message part 1 (text/plain, inline)]
On Fri, Aug 31, 2012 at 10:37:25 +0200, Thorsten Glaser wrote:

> The Release Notes say that 1.19.2 is a security-fix release,
> and does not list any unrelated changes. Question is, (to the
> more seasoned MW packagers) can we trust that, and (to the
> Release Team) would it be acceptable to bump the upstream
> version on that?
> 
Can't answer without a diff.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'mediawiki: Multiple security issues CVE-2012-4377,CVE-2012-4378,CVE-2012-4379,CVE-2012-4380,CVE-2012-4381,CVE-2012-4382' from 'mediawiki: Multiple security issues' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Sun, 02 Sep 2012 17:00:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#686330; Package mediawiki. (Thu, 13 Sep 2012 16:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Thu, 13 Sep 2012 16:06:03 GMT) (full text, mbox, link).

Message #22 received at 686330@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Julien Cristau <jcristau@debian.org>
Cc: Thorsten Glaser <t.glaser@tarent.de>, 686330@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>, debian-release@lists.debian.org
Subject: Re: Bug#686330: mediawiki: Multiple security issues
Date: Thu, 13 Sep 2012 18:01:40 +0200
On Fri, Aug 31, 2012 at 06:34:38PM +0200, Julien Cristau wrote:
> On Fri, Aug 31, 2012 at 10:37:25 +0200, Thorsten Glaser wrote:
> 
> > The Release Notes say that 1.19.2 is a security-fix release,
> > and does not list any unrelated changes. Question is, (to the
> > more seasoned MW packagers) can we trust that, and (to the
> > Release Team) would it be acceptable to bump the upstream
> > version on that?
> > 
> Can't answer without a diff.

Mediawiki maintainers, what's the status?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#686330; Package mediawiki. (Thu, 13 Sep 2012 21:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Platonides <platonides@gmail.com>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Thu, 13 Sep 2012 21:36:03 GMT) (full text, mbox, link).

Message #27 received at 686330@bugs.debian.org (full text, mbox, reply):

From: Platonides <platonides@gmail.com>
To: Moritz Muehlenhoff <jmm@inutil.org>, 686330@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#686330: mediawiki: Multiple security issues
Date: Thu, 13 Sep 2012 23:31:35 +0200
On 13/09/12 18:01, Moritz Muehlenhoff wrote:
> On Fri, Aug 31, 2012 at 06:34:38PM +0200, Julien Cristau wrote:
>> On Fri, Aug 31, 2012 at 10:37:25 +0200, Thorsten Glaser wrote:
>>
>>> The Release Notes say that 1.19.2 is a security-fix release,
>>> and does not list any unrelated changes. Question is, (to the
>>> more seasoned MW packagers) can we trust that, and (to the
>>> Release Team) would it be acceptable to bump the upstream
>>> version on that?
>>>
>> Can't answer without a diff.
> 
> Mediawiki maintainers, what's the status?
> 
> Cheers,
>         Moritz

All MediaWiki changes from x.y.z to x.y.z+1 are safe to do (to the best
of our knowledge), and should be always applied since they are motivated
by security fixes.
In 1.19.2 they were more serious than other times.

We do bundle the latest translations [for that branch] with the new
release. Those are obviously not part of the security fixes (unless it
added a new error message, which wasn't the case in 1.19.2) but they
don't touch the code.

An easy way to view the differences is to do:
 git diff d0c0aabb3c5d40688d2435c0963927da479a47e0
f25ee7006ff73f1cdf22cdd11401af31ef691b12

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#686330; Package mediawiki. (Fri, 14 Sep 2012 12:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Fri, 14 Sep 2012 12:33:05 GMT) (full text, mbox, link).

Message #32 received at 686330@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Julien Cristau <jcristau@debian.org>, 686330@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>, debian-release@lists.debian.org
Subject: Re: Bug#686330: mediawiki: Multiple security issues
Date: Fri, 14 Sep 2012 14:30:05 +0200 (CEST)
[Message part 1 (text/plain, inline)]
On Thu, 13 Sep 2012, Moritz Muehlenhoff wrote:

> On Fri, Aug 31, 2012 at 06:34:38PM +0200, Julien Cristau wrote:

> > Can't answer without a diff.
> 
> Mediawiki maintainers, what's the status?

Oh, sorry. Other stuff made me forget this for too long.

The diff between the two tarballs is over 10 MiB, although
with .gitignore files removed, using -w and removing all
Messages* files (in the hope these are really only trans‐
lation changes/fixes), it gets down to ~21K (attached).

On a quick skim, I couldn’t find anything wrong with it,
but I’m not qualified to say whether these are bugfixes
only without detailed analysis (I’m not normally doing
development on MW core code itself, more integration
work).

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke
[mnl.diff (text/x-diff, attachment)]

Reply sent to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility. (Thu, 20 Sep 2012 12:21:15 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 20 Sep 2012 12:21:15 GMT) (full text, mbox, link).

Message #37 received at 686330-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>
To: 686330-close@bugs.debian.org
Subject: Bug#686330: fixed in mediawiki 1:1.19.2-1
Date: Thu, 20 Sep 2012 12:19:37 +0000
Source: mediawiki
Source-Version: 1:1.19.2-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686330@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Thu, 20 Sep 2012 13:40:12 +0200
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.2-1
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mediawiki  - website engine for collaborative work
Closes: 686330 687519
Changes: 
 mediawiki (1:1.19.2-1) unstable; urgency=low
 .
   [ Thorsten Glaser ]
   * New upstream: security fixes for CVE-2012-4377, CVE-2012-4378,
     CVE-2012-4379, CVE-2012-4380, CVE-2012-4381, CVE-2012-4382
     (Closes: #686330)
   * Prevent <table></table> without any <tr /> inside, globally
   * Fix more cases of not checking $wgHtml5
   * MW’s ID (XML) sanitiser is there for a reason, use it!
   * Prevent <ul></ul> without any <li /> inside in MonoBook
   * Fix invalid XHTML caused by code not honouring $wgHtml5
   * Quell some PHP warnings from sloppy code
   * Do the wfSuppressWarnings patch used with FusionForge right
   * Add myself to Uploaders and quieten lintian a bit
   * Do not replace patched jquery-tablesorter with unpatched one;
     unbreaks sortable tables (Closes: #687519)
   * Update versioned Breaks against fusionforge and mw-extensions
 .
   [ Jonathan Wiltshire ]
   * Add Recommends on mediawiki-extensions-base and php-wikidiff2
Checksums-Sha1: 
 c0282c4dd0b1dbda901eff5a448bca54170db811 2094 mediawiki_1.19.2-1.dsc
 0e95a4c376bbcf77450adb1dca0180ac16da1b67 18266096 mediawiki_1.19.2.orig.tar.gz
 5f62e4d9453031697cc82d7a89503aee1d72f61b 35216 mediawiki_1.19.2-1.debian.tar.gz
 eea6e35fd26a1845ad9d0d83b286f041aff3a0f7 17464904 mediawiki_1.19.2-1_all.deb
Checksums-Sha256: 
 30457167ebf5c4f51709d5c9d5118139ae4d97f26efdaa95d49ded8cad2bf6bd 2094 mediawiki_1.19.2-1.dsc
 fe5b8de52e546767aee018bb3f2d50b64ffd6c914e145de46de6001ec6691a7e 18266096 mediawiki_1.19.2.orig.tar.gz
 f1d49ec385f8c5e0ed05bffc27e8a243b3270f03cc0f64ccb204818327a2b500 35216 mediawiki_1.19.2-1.debian.tar.gz
 fd7b3c10203c00abfef7a273670591ed53f1b0118eee87d97dc663480e5f7f32 17464904 mediawiki_1.19.2-1_all.deb
Files: 
 a215cb250daf2b119ebce3d77e8efcba 2094 web optional mediawiki_1.19.2-1.dsc
 8b2546ab0b3991083fd49b1d0d96b26e 18266096 web optional mediawiki_1.19.2.orig.tar.gz
 46741db6b5662dcccda2007e10988287 35216 web optional mediawiki_1.19.2-1.debian.tar.gz
 8a1e2f838bdff9e026dd30951e241321 17464904 web optional mediawiki_1.19.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MirBSD)

iQIcBAEBCQAGBQJQWwZJAAoJEHa1NLLpkAfg0RsQANDxd+8URM1AbmrFnVjxteru
62E45+JmirMuVZw3MLB0EcP7PbCbKAN7UQUt28p1PSrF6wKF4ny1oB6Hlt/Nu+K6
GVY9nSprAYd0eUNUjbmEDV5+6kDxdCtSqXLQbTrtpddSRJ6Mj++iOoMQXBBKyI7g
EnyRhVh4gfWRsHqQq940Be+AuhhhxTBJp0oe1MvrWs3FkPU9eI8bmWNuxpB7iWL8
dJ2VvEMujPIi5nH8wS+bQgRJbVLh/JakG/vEQSgd6lyi/EW/c/rAX0/Kzayt6+Ml
9VndFwhItyls7GbtJmvEeZv3aS97H2rvCaf78ngqbtujPV0BRy4y1fmVwJSC4mIM
nI7waw8VwXPndcIaR5W7rHohpJwPbuhkkXusBWp5Eza5lqR7uylqa3h4OEUyxCk/
y8AtbhLbn9p/WOL69Ow3bWffWpM5PJNzQ9SEYb1en/aX0fb25usGPj2p/oH03pS6
avODNOqJiGVxXzvVcn8Sl/J2vG6fWb40ylTO9dY8xzL5+XtcV2C+Pgy3YOal2fSR
Z3jpeWTUi0D9KQwEVMZXf8+jUf80oNfYY91Dyitk8/abgfHtsw6/T+Ihw/fJ8tUy
2AIcS3jyNB/IdbGj5Sa98w7OVQBizUMLnse5n9gAYmpSzwx5WyOjparuXEPSyuxh
6yBRjFgHYZqJEyM15IwY
=qKrJ
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 19 Oct 2012 07:26:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:28:38 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started