Debian Bug report logs -
#442255
CVE-2007-4828 XSS in pretty-printing mode
Reported by: Nico Golde <nion@debian.org>
Date: Fri, 14 Sep 2007 12:03:03 UTC
Severity: serious
Tags: security
Fixed in version mediawiki1.10/1.10.2-1
Done: Romain Beauxis <toots@rastageeks.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, MediaWiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#442255; Package mediawiki.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to MediaWiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: mediawiki
Severity: serious
Tags: security
Hi,
a CVE has been issued against mediawiki.
CVE-2007-4828[0]:
Cross-site scripting (XSS) vulnerability in the API
pretty-printing mode in MediaWiki 1.8.0 through 1.8.4, 1.9.0
through 1.9.3, 1.10.0 through 1.10.1, and the 1.11
development versions before 1.11.0 allows remote attackers
to inject arbitrary web script or HTML via unspecified
vectors.
If you fix this bug please include the CVE id in your
changelogs.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4828
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug reassigned from package `mediawiki' to `mediawiki1.10'.
Request was from Romain Beauxis <toots@rastageeks.org>
to control@bugs.debian.org.
(Fri, 14 Sep 2007 12:51:02 GMT) (full text, mbox, link).
Reply sent to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 442255-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki1.10
Source-Version: 1.10.2-1
We believe that the bug you reported is fixed in the latest version of
mediawiki1.10, which is due to be installed in the Debian FTP archive:
mediawiki1.10-math_1.10.2-1_amd64.deb
to pool/main/m/mediawiki1.10/mediawiki1.10-math_1.10.2-1_amd64.deb
mediawiki1.10_1.10.2-1.diff.gz
to pool/main/m/mediawiki1.10/mediawiki1.10_1.10.2-1.diff.gz
mediawiki1.10_1.10.2-1.dsc
to pool/main/m/mediawiki1.10/mediawiki1.10_1.10.2-1.dsc
mediawiki1.10_1.10.2-1_all.deb
to pool/main/m/mediawiki1.10/mediawiki1.10_1.10.2-1_all.deb
mediawiki1.10_1.10.2.orig.tar.gz
to pool/main/m/mediawiki1.10/mediawiki1.10_1.10.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 442255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated mediawiki1.10 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 14 Sep 2007 14:54:33 +0200
Source: mediawiki1.10
Binary: mediawiki1.10-math mediawiki1.10
Architecture: source all amd64
Version: 1.10.2-1
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description:
mediawiki1.10 - website engine for collaborative work
mediawiki1.10-math - math rendering plugin for MediaWiki
Closes: 426223 437509 442255
Changes:
mediawiki1.10 (1.10.2-1) unstable; urgency=low
.
* New upstream release
* Fix CVE-2007-4828: XSS in pretty-printing mode (Closes: #442255)
* Updated debconf translations, thanks to translators !
Closes: #437509, #426223
Files:
29373f7a8913d71a82defede765f543e 900 web optional mediawiki1.10_1.10.2-1.dsc
f1a5659624444c7101f258c7d43b03a0 4375272 web optional mediawiki1.10_1.10.2.orig.tar.gz
6f8bf0d1fd7e212c73e545ce1604ab97 30176 web optional mediawiki1.10_1.10.2-1.diff.gz
a84f1fedffc8d950d69e1c8dfd590f6e 4400160 web optional mediawiki1.10_1.10.2-1_all.deb
5f377e82e9ff80db261aa93475d001cf 145464 web optional mediawiki1.10-math_1.10.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG6oXcnuQ3Rt5ZmAARAoE7AKCrNp8CUxA+fE8M7CBYyV+/Ytkz6gCaAoEq
ZcVFGD3tLUx4nanjlXxhGx8=
=ayq+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 24 Oct 2007 07:28:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:48:13 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon