Debian Bug report logs -
#501115
CVE-2008-4408: XSS in mediawiki
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sat, 4 Oct 2008 08:57:01 UTC
Severity: important
Tags: security
Fixed in versions mediawiki/1:1.13.2-1, mediawiki/1:1.12.0-2lenny1
Done: Romain Beauxis <toots@rastageeks.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
:
Bug#501115
; Package mediawiki
.
(Sat, 04 Oct 2008 08:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
.
(Sat, 04 Oct 2008 08:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mediawiki
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mediawiki.
CVE-2008-4408[0]:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://web.nvd.nist.gov/view/vuln/detail?execution=e6s1
http://security-tracker.debian.net/tracker/CVE-2008-4408
Reply sent
to Romain Beauxis <toots@rastageeks.org>
:
You have taken responsibility.
(Sat, 11 Oct 2008 14:09:06 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Sat, 11 Oct 2008 14:09:06 GMT) (full text, mbox, link).
Message #10 received at 501115-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.13.2-1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.13.2-1_amd64.deb
to pool/main/m/mediawiki/mediawiki-math_1.13.2-1_amd64.deb
mediawiki_1.13.2-1.diff.gz
to pool/main/m/mediawiki/mediawiki_1.13.2-1.diff.gz
mediawiki_1.13.2-1.dsc
to pool/main/m/mediawiki/mediawiki_1.13.2-1.dsc
mediawiki_1.13.2-1_all.deb
to pool/main/m/mediawiki/mediawiki_1.13.2-1_all.deb
mediawiki_1.13.2.orig.tar.gz
to pool/main/m/mediawiki/mediawiki_1.13.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 501115@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 11 Oct 2008 15:02:39 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.13.2-1
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 501115
Changes:
mediawiki (1:1.13.2-1) unstable; urgency=low
.
* New upstream release
* Fix CVE-2008-4408: XSS in mediawiki:
"Cross-site scripting (XSS) vulnerability allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component."
Closes: #501115
Checksums-Sha1:
4182a4d59ac292fb86e68e37a9eb9f0076296494 1524 mediawiki_1.13.2-1.dsc
c6f6e404ee9152deeec63cdc3278a2a57d556efe 9050636 mediawiki_1.13.2.orig.tar.gz
e473990cf381b5bfc8f2871928a601d5a4a8dfcd 29040 mediawiki_1.13.2-1.diff.gz
150375e255d08a62398c2ea8cbccdf748674bb9e 9065566 mediawiki_1.13.2-1_all.deb
4d24ef9575df70cad1360459a74d60e278be3c60 155828 mediawiki-math_1.13.2-1_amd64.deb
Checksums-Sha256:
96bb918cc7d0349890812fdf0c2af474450a0aea5b89a02ea08adcd79773a64c 1524 mediawiki_1.13.2-1.dsc
8c6db8a15f538fe0d8f67f2bcc711929d38f87f99191474733cc218d91fb3792 9050636 mediawiki_1.13.2.orig.tar.gz
c7285d105b59fdb016484cf2687c70e34886de1d604e70dc4c7e4fa45802d16b 29040 mediawiki_1.13.2-1.diff.gz
3d6c40c4543a40a3ae557bafe82860534d369574bda9019491e0af4f6349aba9 9065566 mediawiki_1.13.2-1_all.deb
aa5672a235aa0879d77f65f39a9da223aea3859b5c947499280a9194cad9656c 155828 mediawiki-math_1.13.2-1_amd64.deb
Files:
82c1f2780c0444d2a6f4d42401d3f08b 1524 web optional mediawiki_1.13.2-1.dsc
e10f791ba9ecd02dd751a5676cc84405 9050636 web optional mediawiki_1.13.2.orig.tar.gz
770da65c6365e29200980a1522ef2517 29040 web optional mediawiki_1.13.2-1.diff.gz
2526ca64528352ecbc91a288f8747279 9065566 web optional mediawiki_1.13.2-1_all.deb
95bdd23f61663c689c6a5ade317fab33 155828 web optional mediawiki-math_1.13.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJI8KnvAAoJEAC5aaocqV0ZO9oIAJ1lTe6Lo8t17p9tYuBBA1CX
Vz7oRe8enCvonqPO+G56gF/LNUdjIjgwKI4L0PtoPfkGURVig0QkRebkHPmcgVF6
yyZ457brA2NgIQx5KjnlFFVqNX+4ufSWnksmRHLSfikiEYleWd3nCTs4LErXfF/l
+5KkzKytQSjFtREkhwvvEPxM2d3WmGBob4hVBvDygK7nk/22yOoqHAU/zXjHeQID
wzEOlBfCxh6mXskG/1LjuLh/TVoygOxMwg4GOVYUAvyX/rOAVCTVV1EnmYqLCzus
+wP6CstgJn3ZvXk6IVGh9vzoayvdT+Mj0sduMYLmlHSN1VczNulBvDK3W7hhHt4=
=qgGp
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
:
Bug#501115
; Package mediawiki
.
(Sun, 12 Oct 2008 03:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
.
(Sun, 12 Oct 2008 03:33:02 GMT) (full text, mbox, link).
Message #15 received at 501115@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Are the mediawiki maintainers going to fix this security issue in Lenny?
--
bye,
pabs
http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
:
Bug#501115
; Package mediawiki
.
(Tue, 14 Oct 2008 10:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
.
(Tue, 14 Oct 2008 10:36:06 GMT) (full text, mbox, link).
Message #20 received at 501115@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Paul,
* Paul Wise <pabs@debian.org> [2008-10-12 11:56]:
> Are the mediawiki maintainers going to fix this security issue in Lenny?
Yes, the security team already was contacted by the
maintainer.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Romain Beauxis <toots@rastageeks.org>
:
You have taken responsibility.
(Tue, 14 Oct 2008 23:21:06 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Tue, 14 Oct 2008 23:21:06 GMT) (full text, mbox, link).
Message #25 received at 501115-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.12.0-2lenny1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.12.0-2lenny1_amd64.deb
to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny1_amd64.deb
mediawiki_1.12.0-2lenny1.diff.gz
to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny1.diff.gz
mediawiki_1.12.0-2lenny1.dsc
to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny1.dsc
mediawiki_1.12.0-2lenny1_all.deb
to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 501115@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 14 Oct 2008 15:56:19 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.12.0-2lenny1
Distribution: testing-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 501115
Changes:
mediawiki (1:1.12.0-2lenny1) testing-security; urgency=high
.
* Security update, fix CVE-2008-4408:
"Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component."
Closes: #501115
Checksums-Sha1:
b73d2e9f22b5836cc4ecc2f3c9e9aeda977cd803 1548 mediawiki_1.12.0-2lenny1.dsc
48bf1877f60c317cbe93c072187dfe9c1aa3b857 7188806 mediawiki_1.12.0.orig.tar.gz
650eb2fa1c6c59c64eb55c2e0551983837ba9edc 30264 mediawiki_1.12.0-2lenny1.diff.gz
59e4ab15a9b7c6127c9f60d509451ffda5c2b6d2 7218492 mediawiki_1.12.0-2lenny1_all.deb
441faa1c548804922f78b7e0fed478ddf4294b84 155720 mediawiki-math_1.12.0-2lenny1_amd64.deb
Checksums-Sha256:
12ba1066d90517470296cbc170b17e3a6d55ad1f7b23c9c22b73f42be1b887ba 1548 mediawiki_1.12.0-2lenny1.dsc
478b38b29f0f6e661b6c632f39e570d654f83c5069b69de2f187b43c20bc8809 7188806 mediawiki_1.12.0.orig.tar.gz
5d0e5225cbd3badf288a08e12c238b437ec68f5792009aa644188d9e8ad22c15 30264 mediawiki_1.12.0-2lenny1.diff.gz
73478a19b754b8da8cc35bd2a64c5595a598b59ae4eab5f859c3ba19eae1af49 7218492 mediawiki_1.12.0-2lenny1_all.deb
85f749d2273bef3088f54e0da7ebd34647e0702f435ee4bd51313bf8a71f9876 155720 mediawiki-math_1.12.0-2lenny1_amd64.deb
Files:
cad09bb22a496c7a2f19572f60709606 1548 web optional mediawiki_1.12.0-2lenny1.dsc
117a1360f440883a51f0ebca32906ea0 7188806 web optional mediawiki_1.12.0.orig.tar.gz
ed5b93cec75b1a6087f1397933c7023d 30264 web optional mediawiki_1.12.0-2lenny1.diff.gz
c7623776252637a40902f25e7ad8c860 7218492 web optional mediawiki_1.12.0-2lenny1_all.deb
7a30091d20abfa6601f4efe275f8e9cc 155720 web optional mediawiki-math_1.12.0-2lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJI9LwyAAoJEAC5aaocqV0Zq/cIAKv3kOWSwofdgfbgbZ8HHTNG
Hb4rq8e8eqzqwL9BJ/o5aGo5rGMTMi4TWo1qEQf6cHxXWpHKPUpXaxIIgA+t8tzM
Q6+jkCWecJhIBXkxQ+yu/rV7UgjxI3j2iZ3DMeoilaqqwVuFF6a7dbHAW2fedd0z
1k0ymRFtVn2ttcn5aTMzLvK3SBU/eBa89doDsW8DCUJPtbCfiZFisI31wz4hJHal
IFIs3haUkma7hQ4pIQ4lyeRsc02gZc8O+LLCMZdeu+ZDTV6CyCebYrPlIGNY2CGh
AFowfOmCuMW52jqZW0yU+V7x9BpFG5TJ0TS5RTqDDOumUl9h78BV7GouiTzNzrU=
=owDt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 12 Nov 2008 07:32:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:15:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.