Debian Bug report logs -
#758510
mediawiki: 1.19.18 fixes security vulnerabilities (CVE-2014-5241 CVE-2014-5243)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 18 Aug 2014 10:33:02 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in versions mediawiki/1:1.19.16+dfsg-0+deb7u1, mediawiki/1:1.19.17+dfsg-1
Fixed in versions mediawiki/1:1.19.18+dfsg-0.1, mediawiki/1:1.19.18+dfsg-0+deb7u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#758510; Package src:mediawiki.
(Mon, 18 Aug 2014 10:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Mon, 18 Aug 2014 10:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Version: 1:1.19.17+dfsg-1
Severity: important
Tags: security upstream fixed-upstream
Control: found -1 1:1.19.16+dfsg-0+deb7u1
Hi
See
https://marc.info/?l=oss-security&m=140800398132695&w=2
and
https://www.mediawiki.org/wiki/Release_notes/1.19#Changes_since_1.19.17
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html
Regards,
Salvatore
Marked as found in versions mediawiki/1:1.19.16+dfsg-0+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 18 Aug 2014 10:33:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#758510; Package src:mediawiki.
(Mon, 18 Aug 2014 15:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Mon, 18 Aug 2014 15:27:09 GMT) (full text, mbox, link).
Message #12 received at 758510@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 mediawiki: 1.19.18 fixes security vulnerabilities (CVE-2014-5241 CVE-2014-5243)
Hi,
Actually CVE-2014-5242 does not affect 1.19, also according to [1].
[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=66608#c18
Regards,
Salvatore
Changed Bug title to 'mediawiki: 1.19.18 fixes security vulnerabilities (CVE-2014-5241 CVE-2014-5243)' from 'mediawiki: 1.19.18 fixes security vulnerabilities (CVE-2014-5241 CVE-2014-5242 CVE-2014-5243)'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 758510-submit@bugs.debian.org.
(Mon, 18 Aug 2014 15:27:09 GMT) (full text, mbox, link).
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 23 Aug 2014 15:42:16 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 24 Aug 2014 05:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 24 Aug 2014 05:21:05 GMT) (full text, mbox, link).
Message #21 received at 758510-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.19.18+dfsg-0.1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 758510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Aug 2014 06:47:35 +0200
Source: mediawiki
Binary: mediawiki mediawiki-classes
Architecture: source all
Version: 1:1.19.18+dfsg-0.1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-classes - website engine for collaborative work - standalone classes
Closes: 758510
Changes:
mediawiki (1:1.19.18+dfsg-0.1) unstable; urgency=high
.
* Non-maintainer upload with maintainers approval.
* Imported Upstream version 1.19.18+dfsg
(Closes: #758510)
- CVE-2014-5241 (bug 68187) SECURITY: Prepend jsonp callback with comment.
- CVE-2014-5243 (bug 65778) SECURITY: Copy prevent-clickjacking between
OutputPage and ParserOutput.
Checksums-Sha1:
b211f8ce4c53de9629d62ac1a798d7bd3088b733 2203 mediawiki_1.19.18+dfsg-0.1.dsc
1c594a9ce796288cf27a8eba1d40fc871c0d554c 18200184 mediawiki_1.19.18+dfsg.orig.tar.gz
732cfae5c23ee3c279c40b3a15b5416e74202a7d 61032 mediawiki_1.19.18+dfsg-0.1.debian.tar.xz
81164d18f71e526e5b454734149319efb8b97b67 11752730 mediawiki_1.19.18+dfsg-0.1_all.deb
a0e656a97c258b3034c3e41ca76d485a65b370cc 238356 mediawiki-classes_1.19.18+dfsg-0.1_all.deb
Checksums-Sha256:
90969078a2a7d3f1cd2d7734870842b9c7eb09fd38961430585b9e83810ad885 2203 mediawiki_1.19.18+dfsg-0.1.dsc
080709401f2ddea6127cd77d5e28b9e5c13b0db32a7848791f097b5d6c56c7a8 18200184 mediawiki_1.19.18+dfsg.orig.tar.gz
1e1e3177974afd6d0409325f56e9a1c9d8452f5e4d5e4479313410a13b49d694 61032 mediawiki_1.19.18+dfsg-0.1.debian.tar.xz
7cf13fc97a0ce90ce4e779e6cad873d4dd4af424d7779ba8ec9808729b344920 11752730 mediawiki_1.19.18+dfsg-0.1_all.deb
1fddcca2a4b7330fc4cfb0a9bcb1d4ab51744c8efaa8a26ff359a07ff8c46d09 238356 mediawiki-classes_1.19.18+dfsg-0.1_all.deb
Files:
6e08840eeb3733cc7a9ddab38d2ef99c 11752730 web optional mediawiki_1.19.18+dfsg-0.1_all.deb
dfde1d836b82bb020803078adc57f04a 238356 web optional mediawiki-classes_1.19.18+dfsg-0.1_all.deb
67e444fee68d240b93221f5780fac2ce 2203 web optional mediawiki_1.19.18+dfsg-0.1.dsc
3601fc9c9f802d3071164c590ce31312 18200184 web optional mediawiki_1.19.18+dfsg.orig.tar.gz
3ce18a16d66977750421c82a9a776790 61032 web optional mediawiki_1.19.18+dfsg-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJT+XCQAAoJEAVMuPMTQ89EAToP/1Nagur3nOYmJu48McYLOGpB
QjE+HydG03xZD2aOE9BL38L8YDGwxqT37d3RmSpL6gaLWqqmEgZAnkBENx9cE9XZ
5SZZ8+F3iffUuFWl8g1VTH2ZkWL32cFAX9MKVNi9Lhrl4ycsF14TdqaL+OKu1cFH
72TGosaTs1Lm3QE6eUwq2/xtOppALBj98jElxQ1HPTh4CziAz3tCQV2BJy0U+DBp
Ug63Ta9t1PqOlHd05VG107qil65JKh4ITDjkhM/nfdSdbfGFtuiLQbtHMFi9WjL/
U2lLMzG6UVyj9i2+IRT+YFihwKSLYfhhwMHOj6YnqRvkCwoW+HWWNiZRHDWodJ/J
sqM7Z+GQ3RsZ5+U1zk1l6TctB7NOYbCD2MfebYLSYKPl+7aBF4hhw7DZ9Tycof6Y
lPDEt3V3v2JkEUENgFvkP+qb89oFTi4c3wDoFrJLYT8Da0xgt5N9ZSoPb+NJ6WUd
54yo+viv9eurgcY3S0UW+CagTe1YphIlufpBMSuKHb7XqF7SUnKCO2wST9oSnseP
5g9B7nPruRQnrfq4101SKbmHmMpsZ4Aide1YiXQsktht114A+vt3CsRBU7tQWjhf
jyorATLq/MD68hncRUqxox8Yn/4unjRNA6pGcCsfOulp23A+WwABbGmt7o4LhCeS
leF9KxnYUZdLQLTfJpqI
=oWLh
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 26 Aug 2014 21:33:29 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 26 Aug 2014 21:33:29 GMT) (full text, mbox, link).
Message #26 received at 758510-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.19.18+dfsg-0+deb7u1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 758510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 19 Aug 2014 06:47:09 +0200
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.18+dfsg-0+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
mediawiki - website engine for collaborative work
Closes: 752622 758510
Changes:
mediawiki (1:1.19.18+dfsg-0+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Imported Upstream version 1.19.18+dfsg
(Closes: #752622, #758510)
- CVE-2014-5241 (bug 68187) SECURITY: Prepend jsonp callback with comment.
- CVE-2014-5243 (bug 65778) SECURITY: Copy prevent-clickjacking between
OutputPage and ParserOutput.
Checksums-Sha1:
4e694b8a86603a53cf397335727506535c7413a2 2174 mediawiki_1.19.18+dfsg-0+deb7u1.dsc
1c594a9ce796288cf27a8eba1d40fc871c0d554c 18200184 mediawiki_1.19.18+dfsg.orig.tar.gz
c0def12bff95bbe9596b04059d2f740b0aeb625b 65507 mediawiki_1.19.18+dfsg-0+deb7u1.debian.tar.gz
03c59f9561b7bdc4dfc6b4223be8a878d2659345 17863216 mediawiki_1.19.18+dfsg-0+deb7u1_all.deb
Checksums-Sha256:
d6ca508c3571a85e698e05e901452cfcd9bc617d4f901e229c818a413f01017f 2174 mediawiki_1.19.18+dfsg-0+deb7u1.dsc
080709401f2ddea6127cd77d5e28b9e5c13b0db32a7848791f097b5d6c56c7a8 18200184 mediawiki_1.19.18+dfsg.orig.tar.gz
465f0f6e9e376b1d63979f1d21426a761bae00b32999efae867b66cfa69ad536 65507 mediawiki_1.19.18+dfsg-0+deb7u1.debian.tar.gz
ed97eb0f1c4942889d88a01a337ede9c3f2125ca59d2dfe6179d9d7a4d6d11c2 17863216 mediawiki_1.19.18+dfsg-0+deb7u1_all.deb
Files:
93c62e445fffe6efc76ffaa7978b6733 2174 web optional mediawiki_1.19.18+dfsg-0+deb7u1.dsc
3601fc9c9f802d3071164c590ce31312 18200184 web optional mediawiki_1.19.18+dfsg.orig.tar.gz
d3d7b6c88aec04d10f381472770e04ef 65507 web optional mediawiki_1.19.18+dfsg-0+deb7u1.debian.tar.gz
ecb6b02ebe8f45f408a75c38dbab2ba1 17863216 web optional mediawiki_1.19.18+dfsg-0+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJT907dAAoJEAVMuPMTQ89Ei/gP/jf7O5/kKMD27CZl4LjFwUJy
aj37kArMwz2H722pHVH9joRcqpNw3JPBNsYC72pbizblfRcixiRF7sHKlOR6mTqZ
fvaM5OnbkRc064wKBexEkZLIMDY7oYBL9Oxk8lbkOGHFSRI0FWXkDkb7mO1vzTfs
I4HBdHw5nHpNG4dtNY1N60oALp64zWBh0s8khNYFLJrARZ0xSEBJ4/wYmTktAaB0
+qUJzhRHCs4MZ5fecwdwBOUQk0aTNSUMxc3avSVM4j0r3kthW7/QeYVSzZoKVG+E
PyoDNgCoLN4VQt1m4NpD5dZtifIcXr8NJHXjVAlUIO05VoiLkucGs9xFNyq0E3mC
Q7Zrc0L0sAXjYmSG1hM+8fkdRxVeFIH3Cy8KyenN3ExNZFg+aUqiab5wsQFeDlWx
Mnw2kxOJ9EfqBB+vITD2ldqzIaVkTaF74RvyKtTKfdZfku504aZUwZACQ51/zZKT
BG6d6Y3vrni7SJs9mSHXm3uC4q5WyROJE+tvFOfA3eJvkMK3NAIhqB6Z2ayLlkZ1
nDe0S/Z8aWpZaUpznCwVavk5OnYBTwAf11y5jAvyqG7Jemfe1Bt/cVcVIszbYPwO
eVlaQz40nWBEHJQrBT5kKB2LiEZtCrjzVJwNz2Zo4f6RikldX5ixT5UNzyY9r7Qg
kVGUh6fyUOVhQDxqii5T
=XqEF
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 13 Nov 2014 07:27:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:19:41 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon