Debian Bug report logs -
#706601
mediawiki: CVE-2013-2031 CVE-2013-2032
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 2 May 2013 09:12:02 UTC
Severity: important
Tags: security
Fixed in version mediawiki/1:1.19.6-1
Done: Jonathan Wiltshire <jmw@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#706601; Package mediawiki.
(Thu, 02 May 2013 09:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Thu, 02 May 2013 09:12:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mediawiki
Severity: important
Tags: security
Justification: user security hole
Please see http://www.openwall.com/lists/oss-security/2013/05/01/2 for
details.
Cheers,
Moritz
Reply sent
to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility.
(Sat, 11 May 2013 15:51:15 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sat, 11 May 2013 15:51:15 GMT) (full text, mbox, link).
Message #10 received at 706601-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.19.6-1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 706601@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 11 May 2013 16:07:43 +0100
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.6-1
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
mediawiki - website engine for collaborative work
Closes: 706601
Changes:
mediawiki (1:1.19.6-1) unstable; urgency=low
.
* New upstream security release (Closes: #706601):
- SVG script filtering could be bypassed for Chrome and Firefox
clients by using an encoding that MediaWiki understood, but these
browsers interpreted as UTF-8. (CVE-2013-2031)
- Internal review discovered that extensions were not given the
opportunity to disable a password reset, which could lead to
circumvention of two-factor authentication (CVE-2013-2032)
Checksums-Sha1:
3141fec52166a3919b1ab54d63cb1af862d8d6b2 2096 mediawiki_1.19.6-1.dsc
4a04c2dc83180067a6d72624e5e9683dbacb5397 18550832 mediawiki_1.19.6.orig.tar.gz
09c60b6746152d4e6cd6dffb7bf07e25a0d39e61 39387 mediawiki_1.19.6-1.debian.tar.gz
1c21c1a3d64124e9c5e5e1d3dd76f8d12a19f18c 17750230 mediawiki_1.19.6-1_all.deb
Checksums-Sha256:
fb6689cbe7cc6a3858d456e458d2dd02e2e5736f9d9ce48cb46913faaee06111 2096 mediawiki_1.19.6-1.dsc
c5056635c099b8fc7362807047b1bd2e10c2e4fb12904bf4ace3b0b8474693a2 18550832 mediawiki_1.19.6.orig.tar.gz
34c83c17a42c9bc0ff47612c6605f22a2874a0fabd42977d93f7cff989872d89 39387 mediawiki_1.19.6-1.debian.tar.gz
f389504d1550192ddcc44438d99fdf73354d45508a0a3c726d29b8b5cac01eec 17750230 mediawiki_1.19.6-1_all.deb
Files:
b2d241e6747b1eaa1bbb2fb802b4e6e7 2096 web optional mediawiki_1.19.6-1.dsc
8e4c6896d3d1835bdf0f17da7dffb34e 18550832 web optional mediawiki_1.19.6.orig.tar.gz
7ae27c8d23c590a1e1b17edb5076fb41 39387 web optional mediawiki_1.19.6-1.debian.tar.gz
091c18803862207671508303e80e5db1 17750230 web optional mediawiki_1.19.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJRjmTUAAoJEFC7AtTIpr9htuEP/iBAmvF5B1jE91WPHK/qJoHs
i/qYBLfy+paEbBha8Ub8ocg2ocKmLdQkDl4CHRmwsCAc6CnHd1xjH6FWtqflAzPs
yjD2ss1Ui5fgUp3Q4BslXuOeWea4nlsaYUiGp9ismVscB1gGMXza9cc4EAKzerS5
MYGBT3bqhsOMqHOU4axo5kkm7ZQkUTUN5O0T/etGcqm4bqa8PN1aDYBlfmdoZ7lh
suH28d6OMgHQZ9efFszmiaBE/0CIvmdZKpEvgVChUQ9qOpSEDlbFxGVom1bZiU7O
wIeJXSPX6D95KrvWQNxwGfuxMxryqLnYaOLF3nS43S7usX1EPHbxN2ZQQBkxo0L5
FeiHDNxLAvvi3xA4NZSCqk6stnyTw2zbaRf3EJi7Cd304K/FQInYNSLsriFbmtaF
XGDRFVNzrKB3AsB+kexJVoarxnXVI1dbYbvxZxgkQtOifkdobrmYf5Q45zym86Mp
K+zFZKK9dpqr12GvzHPJ3sruTMKAXPY7zLLRXMBZrpKHRC+LATD9Y1VqQc9sB9Rd
xqp4470dUEy614ZQn598EFEzTMZDHpJq2DsbjYz5fbtSxmFOkKPsYR2Z3APSFRS8
14V2H1Gv7t6X9JrGJb4zIf6TTsaLrGEr9HxOJK4HLZgIYWmHtWPJlZ0ySLhFRhx/
zE9wn9pwI5O5noAJrx75
=qufW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 19 Jun 2013 07:25:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:06:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon