Debian Bug report logs -
#611787
CVE-2011-0047: CSS injection vulnerability
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Wed, 2 Feb 2011 07:51:01 UTC
Severity: grave
Tags: security, squeeze-ignore
Found in versions mediawiki/1:1.12.0-2lenny7, mediawiki/1:1.12.0-2
Fixed in versions mediawiki/1:1.15.5-3, mediawiki/1:1.15.5-2squeeze1, mediawiki/1:1.12.0-2lenny8
Done: Jonathan Wiltshire <jmw@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#611787; Package mediawiki.
(Wed, 02 Feb 2011 07:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Wed, 02 Feb 2011 07:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mediawiki
Severity: grave
Tags: security
Please see
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/RELEASE-NOTES
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#611787; Package mediawiki.
(Wed, 02 Feb 2011 13:48:32 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Wed, 02 Feb 2011 13:48:32 GMT) (full text, mbox, link).
Message #10 received at 611787@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
user release.debian.org@packages.debian.org
usertag 611787 squeeze-can-defer
tag 611787 squeeze-ignore
kthxbye
On Wed, Feb 2, 2011 at 08:48:38 +0100, Moritz Muehlenhoff wrote:
> Package: mediawiki
> Severity: grave
> Tags: security
>
> Please see
> http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/RELEASE-NOTES
>
Not a release blocker.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Added tag(s) squeeze-ignore.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org.
(Wed, 02 Feb 2011 13:48:36 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2011-0047: CSS injection vulnerability' from 'Two new security issues'
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Sun, 06 Feb 2011 14:21:02 GMT) (full text, mbox, link).
Bug Marked as found in versions mediawiki/1:1.12.0-2lenny7.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Sun, 06 Feb 2011 15:09:03 GMT) (full text, mbox, link).
Bug Marked as found in versions mediawiki/1:1.12.0-2.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Sun, 06 Feb 2011 15:27:03 GMT) (full text, mbox, link).
Reply sent
to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility.
(Sun, 06 Feb 2011 16:21:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Sun, 06 Feb 2011 16:21:09 GMT) (full text, mbox, link).
Message #23 received at 611787-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.15.5-3
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.15.5-3_amd64.deb
to main/m/mediawiki/mediawiki-math_1.15.5-3_amd64.deb
mediawiki_1.15.5-3.debian.tar.gz
to main/m/mediawiki/mediawiki_1.15.5-3.debian.tar.gz
mediawiki_1.15.5-3.dsc
to main/m/mediawiki/mediawiki_1.15.5-3.dsc
mediawiki_1.15.5-3_all.deb
to main/m/mediawiki/mediawiki_1.15.5-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 611787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 06 Feb 2011 15:53:48 +0000
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.15.5-3
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 611787
Changes:
mediawiki (1:1.15.5-3) unstable; urgency=high
.
[ Thorsten Glaser ]
* debian/patches/fix_datetime.patch: new, convert argument into
the format expected by other methods, fixes date/time output
in e.g. the News/RSS extensions
.
[ Jonathan Wiltshire ]
* CVE-2011-0047: Protect against a CSS injection vulnerability
(closes: #611787)
* Update my email address
Checksums-Sha1:
fe76cad7447cdb72db28a83365ce7e4cdfbc9241 2049 mediawiki_1.15.5-3.dsc
bed12414b2af5f4706b335e7de4053689b14d902 37423 mediawiki_1.15.5-3.debian.tar.gz
de84c75b14374e5873ebc8811f7fbd7129ec62c3 11715570 mediawiki_1.15.5-3_all.deb
25dc4e18b50472110f2ed5f1555e04f04f6c96e7 319160 mediawiki-math_1.15.5-3_amd64.deb
Checksums-Sha256:
502338e0a419e8f070d56c9ee5416605fc14c07080b3f576ac68bd0e1a3fbcc8 2049 mediawiki_1.15.5-3.dsc
b656e5c07f68072963218f45e1ef37be1e26d55b50dedf484921a98f20a656a9 37423 mediawiki_1.15.5-3.debian.tar.gz
0e7950d37fb0edb114394cc554749241a2a195703f96bec1e428c4fc3262e133 11715570 mediawiki_1.15.5-3_all.deb
db9fcba9bdfbd0ef14cb40303774db73d191ccc12b9d34b8fa14c65ab9f72ae2 319160 mediawiki-math_1.15.5-3_amd64.deb
Files:
df7ccc4c146d5218b29930e2ee8341bb 2049 web optional mediawiki_1.15.5-3.dsc
4e39c03213f426d03da2c94246c04e78 37423 web optional mediawiki_1.15.5-3.debian.tar.gz
6b6cc029d225e7da297a3b9951b8f7a6 11715570 web optional mediawiki_1.15.5-3_all.deb
005e77d68b36be5cd7ba3da220701187 319160 web optional mediawiki-math_1.15.5-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNTsX8AAoJEFOUR53TUkxRMHoP/0UjSakZKqH/1KKiAW1obnry
/FwcoNQxjD3iy9gsx7EuC3g1Jfe40ACGODPSShp/lDClcSbNj81NmZmlzuMVvQ0+
rGYX2zZ0XCySBH96aQe9eikelhM5aJdUZHxLbv394/HqQ/XcdQCzxIWW4jg/3Dff
oPitY7yFby6w/7tlFqkzsOpPwBzP/1EZ7r+YuR6YBYfXOlASk2CvNrFvpxeHfUwp
WHS+QkQ91GmayE60l1Q4lbCp3hUeIg69ysvqX9YmFxKUuKTWCEgoLvTw+S7U0I9I
u7z2F5rlSI/4hBTuLaR3WKDu00Llj/hU4JIN4bmYxhxXjYyayXPlcLdgnBUwQ0uY
Daf9eh5db5fZ+3Z+jba2oQ4yAKB2ZdKiI6bYG9dYGJ1x7QDjQz5WrBD9obTTK/EC
o434xeIt2NILNYIbZ7303fFNXaiDxmnrngodb+pptfsXJukT4QiEUKXaxzBrpJeR
+FNsB0m92C+k8zlAAtnRbkfyq6n+EvxU+hXKNNjdNnyBaIwY7GZel9VLKlFGu3Ha
otT4Ydtal5LHm79+0P66xK4OixIr613MoyH9DA9eTZ+Ox01I8AbkHE6787nCVWQD
+SvJMoJqElznQLc91kX1RnXHCEol6iFaXEE6e8piMbB8CLduLGGP6/tObBIjqYli
mupApwgeLg5nOjIQylGV
=z3e7
-----END PGP SIGNATURE-----
Reply sent
to Jonathan Wiltshire <debian@jwiltshire.org.uk>:
You have taken responsibility.
(Tue, 08 Feb 2011 01:57:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Tue, 08 Feb 2011 01:57:07 GMT) (full text, mbox, link).
Message #28 received at 611787-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.15.5-2squeeze1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.15.5-2squeeze1_amd64.deb
to main/m/mediawiki/mediawiki-math_1.15.5-2squeeze1_amd64.deb
mediawiki_1.15.5-2squeeze1.debian.tar.gz
to main/m/mediawiki/mediawiki_1.15.5-2squeeze1.debian.tar.gz
mediawiki_1.15.5-2squeeze1.dsc
to main/m/mediawiki/mediawiki_1.15.5-2squeeze1.dsc
mediawiki_1.15.5-2squeeze1_all.deb
to main/m/mediawiki/mediawiki_1.15.5-2squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 611787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <debian@jwiltshire.org.uk> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 06 Feb 2011 13:45:39 +0000
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.15.5-2squeeze1
Distribution: stable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <debian@jwiltshire.org.uk>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 611787
Changes:
mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
.
* CVE-2011-0047: Protect against a CSS injection vulnerability
(closes: #611787)
Checksums-Sha1:
22797ae6cf4d8b24226456169c7f0e01f069559c 2091 mediawiki_1.15.5-2squeeze1.dsc
c5fe9556adc7bde01ef2265a36c880345dd9bd97 36774 mediawiki_1.15.5-2squeeze1.debian.tar.gz
e5981355e3f6d3ee8a40144a4d87d12af507d96a 11715418 mediawiki_1.15.5-2squeeze1_all.deb
a8e701e5f35a80ad8d4315385be125f0f25999b7 319140 mediawiki-math_1.15.5-2squeeze1_amd64.deb
Checksums-Sha256:
4495e67f2492ba14a2bf4bdc23086e0c053527ca4e9aaed9a014070f23ed15b2 2091 mediawiki_1.15.5-2squeeze1.dsc
e971aa4a2d6a6464f0fe044f2e1657c78f3ac476d43893a1bcecffd57eb1f9bd 36774 mediawiki_1.15.5-2squeeze1.debian.tar.gz
a91572165802425727f0aeea94395a1c750433deb9ea0a055d7dcc89ee0dc84e 11715418 mediawiki_1.15.5-2squeeze1_all.deb
ae5a35b4534611ee22b4bad4336177d94eb4792c2b0e143d942dfa01c21d498e 319140 mediawiki-math_1.15.5-2squeeze1_amd64.deb
Files:
d69f485e6d5b359f80ee0f23120a3242 2091 web optional mediawiki_1.15.5-2squeeze1.dsc
614f0697e10c04ba85c962c363d2f607 36774 web optional mediawiki_1.15.5-2squeeze1.debian.tar.gz
befce32fefe84c2bc3efdefa9c6ce111 11715418 web optional mediawiki_1.15.5-2squeeze1_all.deb
451fd062f69be5946132f4b872c98d37 319140 web optional mediawiki-math_1.15.5-2squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNTzvmAAoJEFOUR53TUkxR5lgP/jb72uHT+wplvabhHOqu4oGA
Ub4RW9zpdkZlcAEr8/u+A2GQOB9xlb2jETctyICALB7U3bncBcRxuvY5zvrqE04a
ge3TzDS7MP5Cx0bA1XX4UmauAiLLMrb3+rVmFNSEARYBNmeOhOHEPumZUgWcl81n
HMC/7dRhCTksK726IcixH+upRktxE9x+YmW6g1vB3q4ylaPjyTliU57+pmu2MR8j
wBhtiRJu08JJIHQhmMOAlnlI/V+p/25xHz/WwhmndeLSeGyAOGnPuivckZsVOjvV
tBM6QAixc+uxNIAINOU2PeR2nlQY/rGKtZO8SlFNVyspeRmaD70a59CWppF1fdWk
F7n6lgWChaCFLWyqhRut8bC/e8iHp8FuHMJGWWep9YNfzGo7opHxG0MGLUHL0ETk
pFDDM2qQZ1Na234PavMEt/H38nRC/JUgsSL1+0quRHfhpMFxT17LjT5rBOy8AOHx
O/n3clhhEC4+w5g5lYsIYbOh73daYKt4lIWlM26suzcEOWqCjgWXt4oh7RfGmfsm
jD6fIDU5pNyOh0P7t9FD2Id/fJV0ceKjCsxwr/d9T1ZrNtXjA6USfsObdx0LCltf
LmjrvVeXwgZHEm5ZJaO8obP9pBNypc2yEnGGnJWIrD8ZMJEXS80SrrigoQfVhXeY
srF7RJyPh4ivsLKqDFa9
=NGvg
-----END PGP SIGNATURE-----
Reply sent
to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility.
(Thu, 10 Feb 2011 01:57:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Thu, 10 Feb 2011 01:57:05 GMT) (full text, mbox, link).
Message #33 received at 611787-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.12.0-2lenny8
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:
mediawiki-math_1.12.0-2lenny8_amd64.deb
to main/m/mediawiki/mediawiki-math_1.12.0-2lenny8_amd64.deb
mediawiki_1.12.0-2lenny8.diff.gz
to main/m/mediawiki/mediawiki_1.12.0-2lenny8.diff.gz
mediawiki_1.12.0-2lenny8.dsc
to main/m/mediawiki/mediawiki_1.12.0-2lenny8.dsc
mediawiki_1.12.0-2lenny8_all.deb
to main/m/mediawiki/mediawiki_1.12.0-2lenny8_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 611787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 06 Feb 2011 16:16:23 +0000
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.12.0-2lenny8
Distribution: oldstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-math - math rendering plugin for MediaWiki
Closes: 611787
Changes:
mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high
.
* Oldstable upload.
* CVE-2011-0047: Protect against a CSS injection vulnerability
(closes: #611787)
Checksums-Sha1:
a4a0431432b89bac7a9fb3b5d0f1926d01fcae0f 1895 mediawiki_1.12.0-2lenny8.dsc
2a9b88136884206bf7723849a3384fda03f1b1df 68891 mediawiki_1.12.0-2lenny8.diff.gz
45f939771ecf9a48d60ef24ea8e81edb8eebba76 7229576 mediawiki_1.12.0-2lenny8_all.deb
e18d9b4cfc48d1c4460e19e4cf98bf2140f72fcc 157690 mediawiki-math_1.12.0-2lenny8_amd64.deb
Checksums-Sha256:
fa002d92e791206c10c4185df4cfeb63d6d9ca1af92d4990c03b6c1523bc3ae7 1895 mediawiki_1.12.0-2lenny8.dsc
22542ada6771949ef3ce3c8a21165b6dfce3d9bbbe215e452fc4772d810d0390 68891 mediawiki_1.12.0-2lenny8.diff.gz
29ecf34e43a5bac64d8ce4d96b604ce86d8ced22a9ec387af13e13a8c59c0ece 7229576 mediawiki_1.12.0-2lenny8_all.deb
4b6a57a5b4fec27ef7426b3b983d38078ccb4e6e58daa1419efe10d23ce21a70 157690 mediawiki-math_1.12.0-2lenny8_amd64.deb
Files:
235d47f9ccdcb055436e86a8b1b28c11 1895 web optional mediawiki_1.12.0-2lenny8.dsc
2ffefc7b71dafe08f002a36509e3e353 68891 web optional mediawiki_1.12.0-2lenny8.diff.gz
1d9fc1f603d01c23e19b35d1fdf35e17 7229576 web optional mediawiki_1.12.0-2lenny8_all.deb
8c8d273ceb5afd4b746f6e12b0f19f26 157690 web optional mediawiki-math_1.12.0-2lenny8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNUtpuAAoJEFOUR53TUkxREdIP/1Ae/YZbRpQRTD4AsZV8xc2Z
RLzYOkUtfBmbd9/7JT9jebqZBs3D+TdW5IRH4D+YNlP5gi9w7hL8drWaFR4A2na4
h40FNKDiY+rK7v9nMyksKUT4l7hgAwtXiTEPl5DZtGc+onL/FPXiVgOKSLB2eWOH
8fS9VP0+/VB4XatgNz7O9QK7Rkol+iSu1cNZhTtpDL6DFiPEDfnUSNabaRR+WDga
GS9qdRF1ddPyJw7aBtVf5qRS8Q/r/v3s7BD/tYtWKmdquSRD1sCj1mbFqcMjA4eo
ejAfEpPQuifOrO79nph5A05kMhnWSqpHYCtRZXWzp8+LMiy6GVCdCBaifVgidCCf
Ql3kAU1tCqwS9yxlBa+gbDWuK6Pnh7tBslWEJ+SuUmU2kvNS9EJ6tcT3iE1JYaGr
nRHUe5e3TFYQ02EFiM6Isz1VfWLjMNuiWMrhDliMjokYBWOFqnKVxVAMYyFleti+
8kokauCfZ/Qk/pSdIuZSBNKFd3D5+aH2WYKpcdqGR5Bt4hLlubG6KzTr0k3S1Wax
0ZpxgYxJBleb5pQo2FGNNhDIliW/k7MKoVxIrnsEaEBGuefcOXtcTyv2hh0Z5GAe
cufPPYHZ3kSt8KEPvLXT+6XH91HFbmmLCqbSP/RQm3mgMQR/CO06jg18VW6fjuu1
3dFaJdye3T7cOKfG8glK
=ssbC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 20 Mar 2011 07:49:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:25:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon