mediawiki: CVE-2012-5391 CVE-2012-5395

Debian Bug report logs - #694998
mediawiki: CVE-2012-5391 CVE-2012-5395

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mediawiki: CVE-2012-5391 CVE-2012-5395

Date: Mon, 03 Dec 2012 07:51:16 +0100

Package: mediawiki
Severity: grave
Tags: security
Justification: user security hole

Please see http://www.gossamer-threads.com/lists/wiki/mediawiki/316419

Cheers,
        Moritz

Message #10 received at 694998@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: Moritz Muehlenhoff <jmm@inutil.org>, 694998@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>

Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: [Pkg-mediawiki-devel] Bug#694998: mediawiki: CVE-2012-5391 CVE-2012-5395

Date: Mon, 3 Dec 2012 12:00:54 +0100 (CET)

On Mon, 3 Dec 2012, Moritz Muehlenhoff wrote:

> Please see http://www.gossamer-threads.com/lists/wiki/mediawiki/316419

ACK, thanks, will have a look at updating it.
(Sorry for the delay, our UGS went down hard…)

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

Message #15 received at 694998@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: 694998@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>

Subject: Re: [Pkg-mediawiki-devel] Bug#694998: mediawiki: CVE-2012-5391 CVE-2012-5395

Date: Thu, 6 Dec 2012 09:32:40 +0100 (CET)

Hi,

sorry, I’m too tied up in other work that keeps popping
up to check the new version if it’s ready for uploading
in a timely manner.

Just saying. If nobody pops up, I’ll do it eventually,
of course, but it’s not on the top of my stack, so *if*
someone else wants to help, be our guest.

(Plus, uploads don’t work at the moment anyway…)

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

Message #20 received at 694998@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: debian-release@lists.debian.org

Cc: t.glaser@tarent.de, pkg-mediawiki-devel@lists.alioth.debian.org

Subject: Question on proposed integration of MediaWiki 1.19.3 in wheezy

Date: Wed, 12 Dec 2012 10:58:18 +0100 (CET)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear release managers,

today, I chose to fix RC bug #694998. It is a security issue with 
MediaWiki 1.19.2 currently in testing, and there are two ways of fixing 
this issue. The easiest would be to get the new upstream version 1.19.3 
into testing. I created the new package and a debdiff [2]. This diff is 
quite large because the update also incorporates tons of translation 
updates.

The other possibility is to backport the changes for the security fixes to 
1.19.2, which is also non-problematic. I prepared a debdiff for that as 
well [3].

The question is if the release team would grant a freeze exception for the 
new upstream version 1.19.3, maybe considering the translation changes 
non-critical?

Looking forward to your feedback,
Nik

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998
[2] http://shore.naturalnet.de/~nik/mediawiki_1.19.2-2_1.19.3-0.1.debdiff
[3] http://shore.naturalnet.de/~nik/mediawiki_1.19.2-2_1.19.2-2.1.debdiff

- -- 
* mirabilos is handling my post-1990 smartphone *
<mirabilos> Aaah, it vibrates! Wherefor art thou, daemonic device??

PGP fingerprint: 2086 9A4B E67D 1DCD FFF6  F6C1 59FC 8E1D 6F2A 8001
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQFOBAEBCAA4BQJQyFTLMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n
cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAGdNQgAjgT7dKHee7zBD+PD5991
PmNTsx+r84ynlUaibX8i5R7OUErC8h5wRraAe/XYHEeHSRyjYnEFatbMbYvKRzZD
CZxBlbNNvDcTV/UjhgBMIaNfaQZxYoxCktuMVuhdDrFv6A6T7flAJPNEmh7ATS+Q
fci4QLLtZg2F1v1y+8NyWQHk8CwEoXtOplZBR9kHgVTZMWVBUI//wsJr0wIAY11A
5c9yhaUFUHIWAx1c2zw74+MaqMAbBiYav3LGXBdTbMscihFcxtql4/s8+xgVHeCn
aYrSsHE984MdjI1BiYqygiBWNWjBiEc4hTGZI2GPWByORJMBM1QjqZUha3KzSZ5Z
+w==
=xOmo
-----END PGP SIGNATURE-----

Message #25 received at 694998@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: pkg-mediawiki-devel@lists.alioth.debian.org

Cc: Roland Mas <lolando@debian.org>, Thorsten Glaser <t.glaser@tarent.de>, 694998@bugs.debian.org

Subject: Re: Question on proposed integration of MediaWiki 1.19.3 in wheezy

Date: Thu, 13 Dec 2012 10:37:56 +0100 (CET)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Control: tags -1 + patch pending

Hi fellows,

thanks to Roland for fixing my commit access!

I have now committed my changes to the team SVN and hope that they are fit 
for release.

Cheers,
Nik

- -- 
* mirabilos is handling my post-1990 smartphone *
<mirabilos> Aaah, it vibrates! Wherefor art thou, daemonic device??

PGP fingerprint: 2086 9A4B E67D 1DCD FFF6  F6C1 59FC 8E1D 6F2A 8001
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQFOBAEBCAA4BQJQyaHbMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n
cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAEMvwf9EE1ggh+JrzIf/XxHS5E7
def6d6dYDb+c0WvNe378EyvX6Tc/FZCG5qeEBUBfZjxuZ3u1rsz2Et9N0GUZ+b1k
Cc/hK5TJcNxWtufPGux4c0me7KS+JFdaHaes3aa0m+WZ2K8TREz6pOjmjxuUZNyH
dmiTLjVSQBVZUkXWItgqy0f2HOZsLZW4jM5a6aoU8HskSRZirAQCE/+g/8WiQz7O
885J586r8/4nUlr7tyGY0aiv92kQv2p/pnjEingD4P14eSrFJaFoWfeGjvIceXVb
hV/Bt1PJVXlozeuAyO9/90FLfXNCNY8M24PfdtFkY+0/wgkUake2dS+FTVCnzYWV
uA==
=zOzr
-----END PGP SIGNATURE-----

Message #32 received at 694998-quiet@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: Dominik George <nik@naturalnet.de>

Cc: pkg-mediawiki-devel@lists.alioth.debian.org, 694998-quiet@bugs.debian.org

Subject: Re: Question on proposed integration of MediaWiki 1.19.3 in wheezy

Date: Thu, 13 Dec 2012 11:03:19 +0100 (CET)

On Thu, 13 Dec 2012, Dominik George wrote:

> I have now committed my changes to the team SVN and hope that they are fit 
> for release.

I’ll somewhat trust upstream and you and will upload
to sid after a rudimentary functionality test.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

Message #37 received at 694998-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: 694998-close@bugs.debian.org

Subject: Bug#694998: fixed in mediawiki 1:1.19.3-1

Date: Thu, 13 Dec 2012 10:32:57 +0000

Source: mediawiki
Source-Version: 1:1.19.3-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Wed, 12 Dec 2012 09:44:08 +0100
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.3-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mediawiki  - website engine for collaborative work
Closes: 694998
Changes: 
 mediawiki (1:1.19.3-1) unstable; urgency=high
 .
   [ Dominik George ]
   * Team upload
   * New upstream version fixes security issues (Closes: #694998)
     + Prevent session fixation in Special:UserLogin (CVE-2012-5391)
       https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
     + Prevent linker regex from exceeding PCRE backtrack limit
       https://bugzilla.wikimedia.org/show_bug.cgi?id=41400
 .
   [ Thorsten Glaser ]
   * Fix spelling error in README.Debian (thanks lintian!)
Checksums-Sha1: 
 0b7c0d9c7925abc1f81aa032e9ef313796d08862 2094 mediawiki_1.19.3-1.dsc
 9c0bff33446b100e1ae6c4883e7c5bc8273aa9a9 18447791 mediawiki_1.19.3.orig.tar.gz
 56eb20c4c59861c02cabe02d2eab6ccd041fb004 36871 mediawiki_1.19.3-1.debian.tar.gz
 117dde12956b1ceb288cb8aa203cdece690932ea 17648746 mediawiki_1.19.3-1_all.deb
Checksums-Sha256: 
 c9f88d20b9743c552d31acec7fbd2b345521cd6de2e0a78d904ccd5a173dfd93 2094 mediawiki_1.19.3-1.dsc
 d7049f230efd12789017867c65abdf1470567a81b5f9a5bccdfe9532f67ad63d 18447791 mediawiki_1.19.3.orig.tar.gz
 7d75501973180519d618fa529173816e65cb4be6656b2d3b902b528b5f35f15e 36871 mediawiki_1.19.3-1.debian.tar.gz
 6c321f4721f0f955623aef08a895aca745f787f7ee75a597ece002da949c199f 17648746 mediawiki_1.19.3-1_all.deb
Files: 
 5bdd7cdcca92445639d4bbedfe0eb039 2094 web optional mediawiki_1.19.3-1.dsc
 6333c9fda65cec9f0570f6bae03cf8d3 18447791 web optional mediawiki_1.19.3.orig.tar.gz
 a329874b37d5fb8277c9c4ba3d0fc79e 36871 web optional mediawiki_1.19.3-1.debian.tar.gz
 908b52f65b131cbdbd14999482cbff28 17648746 web optional mediawiki_1.19.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MirBSD)

iQIcBAEBCQAGBQJQyavAAAoJEHa1NLLpkAfgx4AQAIRvYusyGstTQrrWeZkaRG1O
UhKEvHxHBWUKwrVyu7DFPmSw45fSstq1Ed8yBn+jTdb++qiPQJzrprCuciiCQMIZ
5QeuwGvOgxI4RHlAEwv6oUByPn53zuRnepY0PB0OPdZ/Hhn0VmAOlAXR+9FfpHiZ
G0sB72WZyXmtMn9WgFVJdeWmIyRCWT3g2mMYHsUaLylwVN6JoPyIaVmMhb2KsvWB
em9KGVQ7GjEZRb+mDhffeT/iTMNnOiYrUbVShEAswSekSmVJVEWoNU2go86Fbf1v
O1aOsH57z269NBHr52xcK/Q8twkx4DFNri6lkkBddWQgZ8q97aAzMQnbhplSLn7s
jC07P2wPA+cgVZu9sSsoseHePQCjdIV0t2N/J7W17m5tbnzpMFukZmq9zhY3gY6r
HYECjNSthMAIdLtGomadITWg3LjMxs4vIXKI9ougYR1rRZUqizueFEvx40ZW3S78
jC9Jy1YmEHj9Ql0QynqVLWXIlak454/hZuqZCT2uIP4dh6pe/h4d0jhWW3ICrRfP
RQzgByEz/UyeBLfqLsZj8Ky3o545jTq/TvpoydVAU/6miy/8cH7DltMWcwrbbfG8
alBzu2k7eRRwFUim57QEmLpEjtgRsSewKqN/Dj1wyypKsbffJtPoZljX3GUI+BOG
4wBIS5CtTJdZaUMDuzwd
=5aaZ
-----END PGP SIGNATURE-----

Message #42 received at 694998-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 694998-close@bugs.debian.org

Subject: Bug#694998: fixed in mediawiki 1:1.15.5-2squeeze5

Date: Mon, 17 Dec 2012 21:47:05 +0000

Source: mediawiki
Source-Version: 1:1.15.5-2squeeze5

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 16 Dec 2012 17:53:38 +0000
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.15.5-2squeeze5
Distribution: stable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 694998
Changes: 
 mediawiki (1:1.15.5-2squeeze5) stable; urgency=low
 .
   [ Dominik George ]
   * Security fixes from upstream (Closes: #694998):
     - CVE-2012-5391 - Prevent session fixation in Special:UserLogin
     - Prevent linker regex from exceeding backtrack limit
Checksums-Sha1: 
 df943f14a0ebbbd2ff9a9d4a53b005b0e1a8421b 2091 mediawiki_1.15.5-2squeeze5.dsc
 4b036c81c494109aed45bb8aea5a1a7d3f5dfb57 43846 mediawiki_1.15.5-2squeeze5.debian.tar.gz
 734abfe5010c0159258382c02bcea6f2f0adedf1 11723600 mediawiki_1.15.5-2squeeze5_all.deb
 d9ca8be277f01f3844bba79094af3d49b16593e4 319250 mediawiki-math_1.15.5-2squeeze5_amd64.deb
Checksums-Sha256: 
 43aa00b653c75ea7f29be9c529776b1730faaa23f6133deadb324c644209ff7b 2091 mediawiki_1.15.5-2squeeze5.dsc
 8dd8130ace1cbb97f3828ad1a73538725501d725ad683f2dd52d8105733e725c 43846 mediawiki_1.15.5-2squeeze5.debian.tar.gz
 2cc3d4db1e4b887788ab02f6412b5246f94ee9179fedb370247e7aee40f438b1 11723600 mediawiki_1.15.5-2squeeze5_all.deb
 eb5125190a17a59722b4174ec568208d05d1cb8a6181001ccd3d92efd3b1a983 319250 mediawiki-math_1.15.5-2squeeze5_amd64.deb
Files: 
 24e9358eb6a6ad3396105d1139a156b9 2091 web optional mediawiki_1.15.5-2squeeze5.dsc
 273685b984dda08ba863daffb3caf10c 43846 web optional mediawiki_1.15.5-2squeeze5.debian.tar.gz
 ad0f078b6f6acc0f11c8bb0bfb3415e1 11723600 web optional mediawiki_1.15.5-2squeeze5_all.deb
 46a528fbf832cae48edd671a4cb0a3bc 319250 web optional mediawiki-math_1.15.5-2squeeze5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQz0L9AAoJEFC7AtTIpr9hzhwP/2pVBfyymzCOdU+uXUGXlHEX
GluqnpnfURRyNl9pgm+5yL+44ZHB/OVutKzQX4VwJarNAZ4Gzh9IkNJ5EVuiU5ZI
OsxL4MByARJ1+LXBB5DsjQzBuhDmkQk1hjNfD/a1VXm7OCdMJ1HsGHOojduheHvJ
FdxvBxA7hnW6J2WiZQQZ5ipnELsqdlX21Og/1XCxboGa0oeN/N+97Vn0UCP1EIhj
AeTRi8/GZKu+mBCV7x/4XUTBKhBVYC94naQD4jyFqn7jevtUaRebJIux+N0czbRo
7xLEq84XBwFiGwbZTl12+TCBdkY4uTbEDpkB0cj5ZtCPmXFM7v0f7Pcz8yKu028T
25cFDap9tEeMzu8qg0EwgwnDU/AiMY0RTU+k0fqQmazIAx2WkAV0KKwnYynIL9AE
tNPQf49FU+NRmHJ1mtU0XW/JuEgon4vsNPGojVJ7hHmRjxyvSk3j2rLkgcFbO9Nw
FdBeAAFK05UpJvC6FceFmLN+wJGzFxfITQCTYz+C4wr5/WmAW/HKRwdqwuo6PqKv
A4JdwG5LOpeqFLShRLZPFpjzWo0fu3CzM3SvAj2b4q6LWv7G+JqwXOG6/K9woRs7
HkUmrWwoGgc0XwRxsdLn+9FWmoZe35d6cH4zlqrsZfPeNT7lZQBjoiDEsuagOAdP
W0I5vqya2+rLkYCLXP0Q
=7vtc
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.