Debian Bug report logs -
#729629
mediawiki: CVE-2013-4567, CVE-2013-4568 and CVE-2013-4572
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 15 Nov 2013 08:06:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Fixed in versions mediawiki/1:1.19.8+dfsg-2.2, mediawiki/1:1.19.9+dfsg-1
Done: Thorsten Glaser <tg@mirbsd.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#729629; Package mediawiki.
(Fri, 15 Nov 2013 08:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Fri, 15 Nov 2013 08:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mediawiki
Severity: grave
Tags: security upstream patch fixed-upstream
Hi
To have this issues tracked: Upstream announced new security releases
for mediawiki:
http://lists.wikimedia.org/pipermail/wikitech-l/2013-November/073115.html
for mediawiki these are:
* Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
(CVE-2013-4567, CVE-2013-4568).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55332>
* Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers when
a user was autocreated, causing the user's session cookies to be cached,
and returned to other users (CVE-2013-4572).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53032>
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#729629; Package mediawiki.
(Fri, 15 Nov 2013 09:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Fri, 15 Nov 2013 09:54:05 GMT) (full text, mbox, link).
Message #10 received at 729629@bugs.debian.org (full text, mbox, reply):
On 2013-11-15 07:50, Salvatore Bonaccorso wrote:
> Package: mediawiki
> Severity: grave
> Tags: security upstream patch fixed-upstream
>
> Hi
>
> To have this issues tracked: Upstream announced new security releases
> for mediawiki:
>
> http://lists.wikimedia.org/pipermail/wikitech-l/2013-November/073115.html
Thanks. Would you like DSAs prepared for these?
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#729629; Package mediawiki.
(Sun, 08 Dec 2013 20:42:09 GMT) (full text, mbox, link).
Acknowledgement sent
to David Prévot <taffit@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Sun, 08 Dec 2013 20:42:09 GMT) (full text, mbox, link).
Message #15 received at 729629@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 729629 + pending
tags 731381 + pending
thanks
Dear maintainer,
I've prepared an NMU for mediawiki (versioned as 1:1.19.8+dfsg-2.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards.
David
[mediawiki-1.19.8+dfsg-2.2-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Sun, 08 Dec 2013 20:42:18 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Fri, 13 Dec 2013 21:21:27 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 13 Dec 2013 21:21:27 GMT) (full text, mbox, link).
Message #22 received at 729629-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.19.8+dfsg-2.2
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 729629@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 08 Dec 2013 16:13:40 -0400
Source: mediawiki
Binary: mediawiki mediawiki-classes
Architecture: source all
Version: 1:1.19.8+dfsg-2.2
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-classes - website engine for collaborative work - standalone classes
Closes: 729629 731381
Changes:
mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high
.
* Non-maintainer upload
* Security fixes (Closes: #729629):
- Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's
blacklist [CVE-2013-4567, CVE-2013-4568]
- Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers
when a user was autocreated, causing the user's session cookies to be
cached, and returned to other users [CVE-2013-4572]
* New Polish debconf translation, thanks to Magdalena Z. Kubot
(Closes: #731381)
Checksums-Sha1:
c48906798a9b1496d636660b46754f7adbb263ed 1853 mediawiki_1.19.8+dfsg-2.2.dsc
098bf5fb07ef0e5d7955a0328dc3af3a1ca7ed2c 53660 mediawiki_1.19.8+dfsg-2.2.debian.tar.gz
b76ddf5c1024aa98125aae5b8f921532dca20998 11726608 mediawiki_1.19.8+dfsg-2.2_all.deb
23979f747a6d714ad258cbf08c9f665d3a17d5e7 236188 mediawiki-classes_1.19.8+dfsg-2.2_all.deb
Checksums-Sha256:
835e60b6adaa7309750a03e3bb7c2f98f37558700c7c2a40d31ea0972488c95a 1853 mediawiki_1.19.8+dfsg-2.2.dsc
f04460c72b51d5833a799a19fafc6187eded20f4f1ab519b5e9ae486f4601771 53660 mediawiki_1.19.8+dfsg-2.2.debian.tar.gz
a5aedeb151b6a829ab529bd2785368df95c388975a9b82b6be841fb97dc957a1 11726608 mediawiki_1.19.8+dfsg-2.2_all.deb
73a3f5fd66bbd5211b2035593005e1be78cfd14a0d577e7c7e8e4575a3f8a198 236188 mediawiki-classes_1.19.8+dfsg-2.2_all.deb
Files:
764e12343537c8c0257698ae6a2a8808 1853 web optional mediawiki_1.19.8+dfsg-2.2.dsc
cd6ee552dc1d740542a9b55665547d8d 53660 web optional mediawiki_1.19.8+dfsg-2.2.debian.tar.gz
de750724e828a2dbeeee803c77e24c67 11726608 web optional mediawiki_1.19.8+dfsg-2.2_all.deb
32c7cd5864cb4479dfa8b71d5d7cabd7 236188 web optional mediawiki-classes_1.19.8+dfsg-2.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAEBCAAGBQJSpNToAAoJEAWMHPlE9r08wjcH/2NZDbXaa+00vaBZ3tA/r6eR
FTGulRw5MzSgK3fJlcL3gwL+N6aLF6Bcul+bHEaP/Cqt7HTHNUjmPOPkR7V56vUg
93K07nHUDoznQlzkRZTBK2o6r9ykFjF7rBGXYFMCaS80fBFHiyZmIGRl6DCitZpg
QJSo2AcRydWYhhO2ZlA6yGJOLQt26afnDtShJY9x9GFG4ooNW+UY5C+rhrBcwe0e
uqNUdYrKvHI8RWjszFYm5PYQVsvZsLJDhj7rCKoq15H9roQECsMqpI2OY1SC0tcY
32BERCzQidB+JyKRPFvoPeoTohDle2m85PJrwWzIvJetyD2YD2+9ruAucVwWlWI=
=mDul
-----END PGP SIGNATURE-----
Reply sent
to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility.
(Tue, 31 Dec 2013 11:51:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 31 Dec 2013 11:51:21 GMT) (full text, mbox, link).
Message #27 received at 729629-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.19.9+dfsg-1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 729629@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Tue, 31 Dec 2013 12:18:56 +0100
Source: mediawiki
Binary: mediawiki mediawiki-classes
Architecture: source all
Version: 1:1.19.9+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description:
mediawiki - website engine for collaborative work
mediawiki-classes - website engine for collaborative work - standalone classes
Closes: 703837 719208 725162 729629 731381
Changes:
mediawiki (1:1.19.9+dfsg-1) unstable; urgency=medium
.
[ Jonathan Wiltshire ]
* Re-work debian/rule:get-orig-source:
- use more conventional tools
- improve legibility
- safer use of temporary directories
* Guard against missing mod_php5 in Apache configuration
(Closes: #725162)
.
[ Thorsten Glaser ]
* Refresh patches against 1.19.9
* Handle /var/lib/mediawiki/extensions/* always as symlinks, for
both core and extra extensions, with upgrade path (Closes: #719208)
* Address updated lintian tags
* Update copyright file with things noted by Paul Tagliamonet, thanks!
.
mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high
.
* Non-maintainer upload
* Security fixes (Closes: #729629):
- Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's
blacklist [CVE-2013-4567, CVE-2013-4568]
- Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers
when a user was autocreated, causing the user's session cookies to be
cached, and returned to other users [CVE-2013-4572]
* New Polish debconf translation, thanks to Magdalena Z. Kubot
(Closes: #731381)
.
mediawiki (1:1.19.8+dfsg-2.1) unstable; urgency=low
.
* Provide includes/libs in mediawiki-classes (Closes: #703837)
Checksums-Sha1:
08f1ca7db1189d6ab3be7cac9300fc20f72c0b70 2188 mediawiki_1.19.9+dfsg-1.dsc
2ae0335beb9bd7a2c5c6903ce5764ccc444d5c7d 12178272 mediawiki_1.19.9+dfsg.orig.tar.xz
805fbc122923def91c8296d10a0f1d1339485caf 54035 mediawiki_1.19.9+dfsg-1.debian.tar.gz
3dfb1abd7e4d4e60590e57d828c24759a766475c 17881028 mediawiki_1.19.9+dfsg-1_all.deb
93675b799ea197ad7a9edfd6398ae329223a57d3 242346 mediawiki-classes_1.19.9+dfsg-1_all.deb
Checksums-Sha256:
24bdbd99aaf4056710aa9c5b1cb5d06dabce48bc7a0e671b880dcc74b4222f1f 2188 mediawiki_1.19.9+dfsg-1.dsc
60e92bab84a60ebbdb37f28a82514aaa8803685115394f98830a9cae783526da 12178272 mediawiki_1.19.9+dfsg.orig.tar.xz
764a5a9554e9bd4f52fa741d492d787a4300e45d95f403d00d5731e90bea57fe 54035 mediawiki_1.19.9+dfsg-1.debian.tar.gz
5c54a40b736e0d617012ddc0709b62a377481755ff7273660b1ae3ad0b2885b7 17881028 mediawiki_1.19.9+dfsg-1_all.deb
27962eb256a3d80fcf1762d82bc090f7b415ba9f3544a90a2bb8f7ae3399d011 242346 mediawiki-classes_1.19.9+dfsg-1_all.deb
Files:
9de67fbf97ec5c13c070a43fcd65e414 2188 web optional mediawiki_1.19.9+dfsg-1.dsc
eb6a02273d41ba352227383beb4d2847 12178272 web optional mediawiki_1.19.9+dfsg.orig.tar.xz
149cedbb8cea5f2c30fc537fffb6f3ac 54035 web optional mediawiki_1.19.9+dfsg-1.debian.tar.gz
8084134253ade0558f15ffab6bcdc0c3 17881028 web optional mediawiki_1.19.9+dfsg-1_all.deb
1a79e41dbb8dbdfc500de7879cc5b609 242346 web optional mediawiki-classes_1.19.9+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
iQIcBAEBCQAGBQJSwqzgAAoJEHa1NLLpkAfg35QQALKRvhCoO91Z9kfHIsj6mObK
/LhCTM0ztwAOS5nuI53SttZO1ek9+2w3gtOveVoQs7YiWdTtRJ2RTyv9MSaQhsjG
X32aQjDU1AQDJMJ1mTUrmxBl+GNhPVS/85xGyJPxAhuSfLzEy24yaW/dRfL88t4J
7hujXEecUEWp9YsWEUovLg+OVhbqTAb0Ag2qccgPUVdXboxxsfw+JmvafS3dTp9K
8puTOZnfw+5+p+d5ts3napPP1O8ep+NMYblVMihb8vRVUiWsTky5TKZToO39yVud
MN/HSRkaHXX6Wwf4qSOtwyZizagLkrvYDGdCtxVRtJ73K0PgQS2045yejc7uVk+L
S27I9tB3JF2LXOSb8yw9lyOSze3CrARjkKOxRuUrO5dn4w+M3iVqsRcQ4pp6mS91
yG38p0g/DPQ8acIOOGUb7PfWkUhkTq/4gxlsLeWSY2CkmrEsSYV2f1KfDFWW0Eg8
KowVF3sU7xErKGwNNd1kzAXwiXi8An57aCl9rREaMS9IgS2HgyiM/LyW0GkPRhmJ
TIMtfwu/ioUmHltEGVc/m1n1EGPZ6pqt1DLBXOcNq8ltn3434Ei57VeU4CtZRCkP
bwxRq4D8q2Kx6oh+JA2kFDW28LR5OgUdkfG9Ljl6uE/PDOKqVMW6AGu6rVAlLonQ
tfRvT+urmwY1m+iD9uSg
=hNU0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 29 Jan 2014 07:28:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:44:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon