[Pkg-mediawiki-commits] r235 - in mediawiki/lenny/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Tue Jan 4 23:03:33 UTC 2011 

Author: jmw
Date: 2011-01-04 23:03:33 +0000 (Tue, 04 Jan 2011)
New Revision: 235

Added:
   mediawiki/lenny/debian/patches/CVE-2011-0003.patch
Modified:
   mediawiki/lenny/debian/changelog
   mediawiki/lenny/debian/patches/series
Log:
Backport fix for clickjacking vulnerability

Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog	2011-01-04 22:28:57 UTC (rev 234)
+++ mediawiki/lenny/debian/changelog	2011-01-04 23:03:33 UTC (rev 235)
@@ -1,3 +1,12 @@
+mediawiki (1:1.12.0-2lenny7) stable; urgency=high
+
+  * Stable upload.
+  * CVE-2011-0003: Minimise risk of clickjacking by denying
+    framing on all pages except normal page views and a few
+    selected special pages
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Tue, 04 Jan 2011 19:32:42 +0000
+
 mediawiki (1:1.12.0-2lenny6) stable; urgency=high
 
   * Stable upload. Closes: #591382

Added: mediawiki/lenny/debian/patches/CVE-2011-0003.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-0003.patch	                        (rev 0)
+++ mediawiki/lenny/debian/patches/CVE-2011-0003.patch	2011-01-04 23:03:33 UTC (rev 235)
@@ -0,0 +1,28 @@
+Description: prevent ClickJacking by breaking out of iframes
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
+Author: Tim Starling
+Last-Update: 2011-01-04
+
+--- mediawiki-1.12.0.orig/config/index.php
++++ mediawiki-1.12.0/config/index.php
+@@ -21,6 +21,7 @@
+ 
+ error_reporting( E_ALL );
+ header( "Content-type: text/html; charset=utf-8" );
++header( 'X-Frame-Options: DENY' );
+ @ini_set( "display_errors", true );
+ 
+ # In case of errors, let output be clean.
+--- mediawiki-1.12.0.orig/includes/OutputPage.php
++++ mediawiki-1.12.0/includes/OutputPage.php
+@@ -717,6 +717,9 @@
+ 		$wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
+ 		$wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
+ 
++		# To prevent clickjacking, do not allow this page to be inside a frame.
++		$wgRequest->response()->header( 'X-Frame-Options: DENY' );
++
+ 		if ($this->mArticleBodyOnly) {
+ 			$this->out($this->mBodytext);
+ 		} else {

Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series	2011-01-04 22:28:57 UTC (rev 234)
+++ mediawiki/lenny/debian/patches/series	2011-01-04 23:03:33 UTC (rev 235)
@@ -11,3 +11,4 @@
 1.15.4-userlogin-security.patch
 1.15.4-css-security.patch
 1.15.5-profileinfo-security.patch
+CVE-2011-0003.patch

More information about the Pkg-mediawiki-commits mailing list