[Pkg-mediawiki-commits] r293 - in mediawiki/tags: . 1:1.15.5-6/debian 1:1.15.5-6/debian/patches
Jonathan Wiltshire
jmw at alioth.debian.org
Fri Jan 13 12:13:34 UTC 2012
Author: jmw
Date: 2012-01-13 12:13:34 +0000 (Fri, 13 Jan 2012)
New Revision: 293
Added:
mediawiki/tags/1:1.15.5-6/
mediawiki/tags/1:1.15.5-6/debian/changelog
mediawiki/tags/1:1.15.5-6/debian/patches/CVE-2012-0046.patch
mediawiki/tags/1:1.15.5-6/debian/patches/series
Removed:
mediawiki/tags/1:1.15.5-6/debian/changelog
mediawiki/tags/1:1.15.5-6/debian/patches/series
Log:
[svn-buildpackage] Tagging mediawiki 1:1.15.5-6
Deleted: mediawiki/tags/1:1.15.5-6/debian/changelog
===================================================================
--- mediawiki/sid-sec/debian/changelog 2012-01-11 09:03:51 UTC (rev 289)
+++ mediawiki/tags/1:1.15.5-6/debian/changelog 2012-01-13 12:13:34 UTC (rev 293)
@@ -1,370 +0,0 @@
-mediawiki (1:1.15.5-6) UNRELEASED; urgency=low
-
- * debian/patches/khtml_not_ff9.patch: new (Closes: #652948)
-
- -- Thorsten Glaser <tg at mirbsd.de> Wed, 11 Jan 2012 10:03:14 +0100
-
-mediawiki (1:1.15.5-5) unstable; urgency=high
-
- * Security fixes from upstream:
- CVE-2011-1578 - XSS for IE <= 6
- CVE-2011-1579 - CSS validation error in wikitext parser
- CVE-2011-1580 - access control checks on transwiki import feature
- CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
-
- -- Jonathan Wiltshire <jmw at debian.org> Sun, 18 Dec 2011 23:48:18 +0000
-
-mediawiki (1:1.15.5-4) unstable; urgency=low
-
- [ Thorsten Glaser ]
- * debian/patches/fix_invalid_sql.patch: new (Closes: #615983)
-
- [ Jonathan Wiltshire ]
- * Security fixes from upstream (Closes: #650434):
- CVE-2011-4360 - page titles on private wikis could be exposed
- bypassing different page ids to index.php
- CVE-2011-4361 - action=ajax requests were dispatched to the
- relevant function without any read permission checks being done
-
- -- Jonathan Wiltshire <jmw at debian.org> Wed, 30 Nov 2011 22:42:52 +0000
-
-mediawiki (1:1.15.5-3) unstable; urgency=high
-
- [ Thorsten Glaser ]
- * debian/patches/fix_datetime.patch: new, convert argument into
- the format expected by other methods, fixes date/time output
- in e.g. the News/RSS extensions
-
- [ Jonathan Wiltshire ]
- * CVE-2011-0047: Protect against a CSS injection vulnerability
- (closes: #611787)
- * Update my email address
-
- -- Jonathan Wiltshire <jmw at debian.org> Sun, 06 Feb 2011 15:53:48 +0000
-
-mediawiki (1:1.15.5-2) testing-security; urgency=high
-
- * CVE-2011-0003: Protect against clickjacking by sending the
- X-Frame-Options header in all pages (except normal page views
- and a few selected special pages). Patch as released by upstream
-
- -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Tue, 04 Jan 2011 22:39:26 +0000
-
-mediawiki (1:1.15.5-1) unstable; urgency=high
-
- [ Thorsten Glaser ]
- * debian/patches/suppress_warnings.patch: new, suppress warnings
- about session_start() being called twice also in the PHP error
- log, not just MediaWiki’s, for example run from FusionForge
-
- [ Jonathan Wiltshire ]
- * New upstream security release:
- - correctly set caching headers to prevent private data leakage
- (closes: #590660, LP: #610782)
- - fix XSS vulnerability in profileinfo.php
- (closes: #590669, LP: #610819)
-
- -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Wed, 28 Jul 2010 12:23:04 +0100
-
-mediawiki (1:1.15.4-2) unstable; urgency=low
-
- [ Thorsten Glaser ]
- * debian/control: add Vcs-SVN and Vcs-Browser
-
- [ Jonathan Wiltshire ]
- * debian/source/format: Switch to source format 3.0 (quilt)
- * debian/rules: Drop CDBS quilt logic
- * debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
- remove the original definition (LP: #406358)
- * debian/README.source: document use of quilt and format 3.0 (quilt)
- * New patch backup_documentation.patch improves documentation of
- maintenance/dumpBackup.php (closes: #572355)
- * Standards version 3.9.0 (no changes)
-
- -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Tue, 29 Jun 2010 14:20:35 +0100
-
-mediawiki (1:1.15.4-1) unstable; urgency=high
-
- [ Jonathan Wiltshire ]
- * New upstream security release (closes: #585918).
- * CVE-2010-1647:
- Fix a cross-site scripting (XSS) vulnerability which allows
- remote attackers to inject arbitrary web script or HTML via crafted
- Cascading Style Sheets (CSS) strings that are processed as script by
- Internet Explorer.
- * CVE-2010-1648:
- Fix a cross-site request forgery (CSRF) vulnerability in the login interface
- which allows remote attackers to hijack the authentication of users for
- requests that (1) create accounts or (2) reset passwords, related to the
- Special:Userlogin form.
-
- [ Romain Beauxis ]
- * Put debian's package version in declared version.
- Should help sysadmins to keep track of installed
- versions, in particular with regard to security
- updates.
- * Added Jonathan Wiltshire to uploaders.
- * Do not clan math dir if it does not exist (for instance
- when running clean from SVN).
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 21 Jun 2010 23:41:29 +0200
-
-mediawiki (1:1.15.3-1) unstable; urgency=high
-
- * New upstream release.
- * Fixes security issue:
- "MediaWiki was found to be vulnerable to login CSRF. An attacker who
- controls a user account on the target wiki can force the victim to log
- in as the attacker, via a script on an external website. If the wiki is
- configured to allow user scripts, say with "$wgAllowUserJs = true" in
- LocalSettings.php, then the attacker can proceed to mount a
- phishing-style attack against the victim to obtain their password."
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 16 Apr 2010 14:44:09 -0500
-
-mediawiki (1:1.15.2-1) unstable; urgency=high
-
- * New upstream release.
- * Fixes security issue:
- "Two security issues were discovered:
-
- A CSS validation issue was discovered which allows editors to display
- external images in wiki pages. This is a privacy concern on public
- wikis, since a malicious user may link to an image on a server they
- control, which would allow that attacker to gather IP addresses and
- other information from users of the public wiki. All sites running
- publicly-editable MediaWiki installations are advised to upgrade. All
- versions of MediaWiki (prior to this one) are affected.
-
- A data leakage vulnerability was discovered in thumb.php which affects
- wikis which restrict access to private files using img_auth.php, or
- some similar scheme. All versions of MediaWiki since 1.5 are affected."
- * Updated standards.
- * Removed section about upgrading from mediawiki1.x packages
- in README.Debian since they do not exist in any supported distribution
- anymore.
- * Switched php5-gd and imagemagick in Suggests. Closes: #542008
- * Backported patch from revision 51083 to fix a bug with invalid titles.
- Closes: #537134
- * Backported patch from revision 61090 to add a unique guid per RSS
- feed element.
- Closes: #383130
- * Refreshed patches.
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 15 Mar 2010 11:41:07 -0500
-
-mediawiki (1:1.15.1-1) unstable; urgency=low
-
- * New upstream release.
- * Ack previous NMU, thanks to Nico Golde for taking care
- of this.
-
- -- Romain Beauxis <toots at rastageeks.org> Sun, 09 Aug 2009 10:46:41 -0500
-
-mediawiki (1:1.15.0-1.1) unstable; urgency=high
-
- * Non-maintainer upload by the Security Team.
- * Fix cross-site scripting in [[Special:Block]]
- (No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
-
- -- Nico Golde <nion at debian.org> Sun, 26 Jul 2009 18:11:07 +0200
-
-mediawiki (1:1.15.0-1) unstable; urgency=low
-
- * New upstream release.
- * Upstream added support for OASIS documents.
- Closes: #530328
- * Refreshed quilt patches
- * Bumped standards versions to 3.8.2
- * Bumped compat to 7
- * Pointed to GPL-2 in debian/copyright
- * Added php5-sqlite to possible DB backend dependencies.
- Closes: #501569
- * Proofread README.Debian, upgrade is documented there.
- Closes: #520121
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 19 Jun 2009 01:38:50 +0200
-
-mediawiki (1:1.14.0-1) unstable; urgency=low
-
- * New upstream release.
- * Fixed issues in the installer:
- "A number of cross-site scripting (XSS) security vulnerabilities were
- discovered in the web-based installer (config/index.php).
- These vulnerabilities all require a live installer once the installer
- has been used to install a wiki, it is deactivated.
-
- Note that cross-site scripting vulnerabilities can be used to attack
- any website in the same cookie domain. So if you have an uninstalled
- copy of MediaWiki on the same site as an active web service, MediaWiki
- could be used to attack the active service."
- Closes: #514547
- * Fixed typo in README.Debian
- Closes: #515192
- * Updated japanese debconf translation, thanks to Hideki Yamane
- Closes: #510896
- * Added a file in debian/copyright
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 06 Mar 2009 20:29:17 +0100
-
-mediawiki (1:1.13.3-1) unstable; urgency=low
-
- * New upstream release.
- * Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
- "An XSS vulnerability affecting all MediaWiki installations between
- 1.13.0 and 1.13.2."
- Closes: #508868
- * Fix CVE-2008-5250: several local script injection vulnerabilities
- in MediaWiki:
- "o A local script injection vulnerability affecting Internet Explorer
- clients for all MediaWiki installations with uploads enabled.
- o A local script injection vulnerability affecting clients with SVG
- scripting capability (such as Firefox 1.5+), for all MediaWiki
- installations with SVG uploads enabled."
- Closes: #508869
- * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
- feature in MediaWiki:
- "A CSRF vulnerability affecting the Special:Import feature, for all
- MediaWiki installations since the feature was introduced in 1.3.0."
- Closes: #508870
-
- -- Romain Beauxis <toots at rastageeks.org> Thu, 18 Dec 2008 02:37:58 +0100
-
-mediawiki (1:1.13.2-1) unstable; urgency=low
-
- * New upstream release
- * Fix CVE-2008-4408: XSS in mediawiki:
- "Cross-site scripting (XSS) vulnerability allows remote attackers
- to inject arbitrary web script or HTML via the useskin parameter
- to an unspecified component."
- Closes: #501115
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 11 Oct 2008 15:02:39 +0200
-
-mediawiki (1:1.13.0-2) unstable; urgency=low
-
- * Removed buggy postgresql patch
- Closes: #497042
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 30 Aug 2008 14:06:47 +0200
-
-mediawiki (1:1.13.0-1) unstable; urgency=low
-
- * New upstream release
- * Fixed watch file. Closes: #490009
- * Refreshed patches
- * Bumped standard-version to 3.8.0
- * Fixed latex-related dependencies in mediawiki-math
- * Removed obsolete linda override, thanks lintian !
-
- -- Romain Beauxis <toots at rastageeks.org> Sun, 17 Aug 2008 11:01:43 +0200
-
-mediawiki (1:1.12.0-2) unstable; urgency=low
-
- * Fixed postgresql dependency
- Closes: #472987
- * Added instructions to install and upgrade
- Closes: #472990, #472831
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:49:15 +0100
-
-mediawiki (1:1.12.0-1) unstable; urgency=low
-
- * New upstream release
- * Updated patch for postfix support: dropped what
- has been implemented upstream
- * Refreshed other patches, thanks to quilt
- * Changed postgresql recommends to "postgresql" package
- Closes: #469582
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:20:12 +0100
-
-mediawiki (1:1.11.2-2) unstable; urgency=high
-
- * Added patch to fix pgsql select, thanks to Marc Dequènes
- Closes: #469841
- * Upated README.Debian to mention php5-gd instead of php5-gd2
- and texlive-latex-base instead to tetex-bin.
- Closes: #469558
- * still setting urgency to high since previous upload didn't make it
- to testing.
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:58:57 +0100
-
-mediawiki (1:1.11.2-1) unstable; urgency=high
-
- * New upstream release
- * Security fix:
- "Possible cross-site information leaks using the callback
- parameter for JSON-formatted results in the API are prevented by
- dropping user credentials."
- * Added informations on LocalSettings.php in README.Debian
- Closes: #462609
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:16:27 +0100
-
-mediawiki (1:1.11.1-1) unstable; urgency=high
-
- * New upstream release
- * A potential XSS injection vector affecting
- Microsoft Internet Explorer users has been
- closed.
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 26 Jan 2008 02:57:53 +0100
-
-mediawiki (1:1.11.0-4) unstable; urgency=low
-
- * Really add the patch for #459312
- * Added also patch to fix #459617
- Closes: #459617
- * Merged two previous patches
-
- -- Romain Beauxis <toots at rastageeks.org> Fri, 18 Jan 2008 16:14:59 +0100
-
-mediawiki (1:1.11.0-3) unstable; urgency=low
-
- * Really remove debian specific scripts
- * Backported patch to fix unserialize with postgre
- Closes: #459312
- * Added finnish translation of the debconf templates, thanks to Esko
- Arajärvi. Closes: #456983
- * Updated standards to 3.7.3 (no changes)
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 07 Jan 2008 15:03:15 +0100
-
-mediawiki (1:1.11.0-2) unstable; urgency=low
-
- * Initial upload of 1.11.0 to unstable
-
- -- Romain Beauxis <toots at rastageeks.org> Sat, 03 Nov 2007 16:39:47 +0100
-
-mediawiki (1:1.11.0-1) experimental; urgency=low
-
- * Removed mediawikiX versioned packages
- * Updated to mediawiki 1.11
- * Removed automatic upgrade script
- * Updated README.Debian (Closes: #442311, #442302)
- * Changed default upload directory (Closes: #444445)
-
- -- Romain Beauxis <toots at rastageeks.org> Sun, 21 Oct 2007 20:54:00 +0200
-
-mediawiki (1:1.10) unstable; urgency=low
-
- * Switched to mediawiki1.10
- * Mediawiki1.10 recommends mediawiki-math (Closes: #428021)
-
- -- Romain Beauxis <toots at rastageeks.org> Tue, 10 Jul 2007 19:29:01 +0200
-
-mediawiki (1:1.9) unstable; urgency=low
-
- * Switched to mediawiki1.9, closes: #392932
- * Corrected typo in control, closes: #414121
- * Seperated -math extension to a single package, closes: #401714
-
- -- Romain Beauxis <toots at rastageeks.org> Thu, 12 Apr 2007 17:02:05 +0200
-
-mediawiki (1:1.7) unstable; urgency=low
-
- * Initial Release
-
- -- Romain Beauxis <toots at rastageeks.org> Mon, 6 Nov 2006 15:36:44 +0100
Copied: mediawiki/tags/1:1.15.5-6/debian/changelog (from rev 291, mediawiki/sid-sec/debian/changelog)
===================================================================
--- mediawiki/tags/1:1.15.5-6/debian/changelog (rev 0)
+++ mediawiki/tags/1:1.15.5-6/debian/changelog 2012-01-13 12:13:34 UTC (rev 293)
@@ -0,0 +1,375 @@
+mediawiki (1:1.15.5-6) unstable; urgency=low
+
+ [ Thorsten Glaser ]
+ * debian/patches/khtml_not_ff9.patch: new (Closes: #652948)
+
+ [ Jonathan Wiltshire ]
+ * debian/patches/CVE-2012-0046.patch: security fix for unintended exposure
+ of hidden content through cache pollution, CVE-2012-0046 (Closes: #655694)
+
+ -- Jonathan Wiltshire <jmw at debian.org> Fri, 13 Jan 2012 09:54:41 +0000
+
+mediawiki (1:1.15.5-5) unstable; urgency=high
+
+ * Security fixes from upstream:
+ CVE-2011-1578 - XSS for IE <= 6
+ CVE-2011-1579 - CSS validation error in wikitext parser
+ CVE-2011-1580 - access control checks on transwiki import feature
+ CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 18 Dec 2011 23:48:18 +0000
+
+mediawiki (1:1.15.5-4) unstable; urgency=low
+
+ [ Thorsten Glaser ]
+ * debian/patches/fix_invalid_sql.patch: new (Closes: #615983)
+
+ [ Jonathan Wiltshire ]
+ * Security fixes from upstream (Closes: #650434):
+ CVE-2011-4360 - page titles on private wikis could be exposed
+ bypassing different page ids to index.php
+ CVE-2011-4361 - action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done
+
+ -- Jonathan Wiltshire <jmw at debian.org> Wed, 30 Nov 2011 22:42:52 +0000
+
+mediawiki (1:1.15.5-3) unstable; urgency=high
+
+ [ Thorsten Glaser ]
+ * debian/patches/fix_datetime.patch: new, convert argument into
+ the format expected by other methods, fixes date/time output
+ in e.g. the News/RSS extensions
+
+ [ Jonathan Wiltshire ]
+ * CVE-2011-0047: Protect against a CSS injection vulnerability
+ (closes: #611787)
+ * Update my email address
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 06 Feb 2011 15:53:48 +0000
+
+mediawiki (1:1.15.5-2) testing-security; urgency=high
+
+ * CVE-2011-0003: Protect against clickjacking by sending the
+ X-Frame-Options header in all pages (except normal page views
+ and a few selected special pages). Patch as released by upstream
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Tue, 04 Jan 2011 22:39:26 +0000
+
+mediawiki (1:1.15.5-1) unstable; urgency=high
+
+ [ Thorsten Glaser ]
+ * debian/patches/suppress_warnings.patch: new, suppress warnings
+ about session_start() being called twice also in the PHP error
+ log, not just MediaWiki’s, for example run from FusionForge
+
+ [ Jonathan Wiltshire ]
+ * New upstream security release:
+ - correctly set caching headers to prevent private data leakage
+ (closes: #590660, LP: #610782)
+ - fix XSS vulnerability in profileinfo.php
+ (closes: #590669, LP: #610819)
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Wed, 28 Jul 2010 12:23:04 +0100
+
+mediawiki (1:1.15.4-2) unstable; urgency=low
+
+ [ Thorsten Glaser ]
+ * debian/control: add Vcs-SVN and Vcs-Browser
+
+ [ Jonathan Wiltshire ]
+ * debian/source/format: Switch to source format 3.0 (quilt)
+ * debian/rules: Drop CDBS quilt logic
+ * debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
+ remove the original definition (LP: #406358)
+ * debian/README.source: document use of quilt and format 3.0 (quilt)
+ * New patch backup_documentation.patch improves documentation of
+ maintenance/dumpBackup.php (closes: #572355)
+ * Standards version 3.9.0 (no changes)
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk> Tue, 29 Jun 2010 14:20:35 +0100
+
+mediawiki (1:1.15.4-1) unstable; urgency=high
+
+ [ Jonathan Wiltshire ]
+ * New upstream security release (closes: #585918).
+ * CVE-2010-1647:
+ Fix a cross-site scripting (XSS) vulnerability which allows
+ remote attackers to inject arbitrary web script or HTML via crafted
+ Cascading Style Sheets (CSS) strings that are processed as script by
+ Internet Explorer.
+ * CVE-2010-1648:
+ Fix a cross-site request forgery (CSRF) vulnerability in the login interface
+ which allows remote attackers to hijack the authentication of users for
+ requests that (1) create accounts or (2) reset passwords, related to the
+ Special:Userlogin form.
+
+ [ Romain Beauxis ]
+ * Put debian's package version in declared version.
+ Should help sysadmins to keep track of installed
+ versions, in particular with regard to security
+ updates.
+ * Added Jonathan Wiltshire to uploaders.
+ * Do not clan math dir if it does not exist (for instance
+ when running clean from SVN).
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 21 Jun 2010 23:41:29 +0200
+
+mediawiki (1:1.15.3-1) unstable; urgency=high
+
+ * New upstream release.
+ * Fixes security issue:
+ "MediaWiki was found to be vulnerable to login CSRF. An attacker who
+ controls a user account on the target wiki can force the victim to log
+ in as the attacker, via a script on an external website. If the wiki is
+ configured to allow user scripts, say with "$wgAllowUserJs = true" in
+ LocalSettings.php, then the attacker can proceed to mount a
+ phishing-style attack against the victim to obtain their password."
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 16 Apr 2010 14:44:09 -0500
+
+mediawiki (1:1.15.2-1) unstable; urgency=high
+
+ * New upstream release.
+ * Fixes security issue:
+ "Two security issues were discovered:
+
+ A CSS validation issue was discovered which allows editors to display
+ external images in wiki pages. This is a privacy concern on public
+ wikis, since a malicious user may link to an image on a server they
+ control, which would allow that attacker to gather IP addresses and
+ other information from users of the public wiki. All sites running
+ publicly-editable MediaWiki installations are advised to upgrade. All
+ versions of MediaWiki (prior to this one) are affected.
+
+ A data leakage vulnerability was discovered in thumb.php which affects
+ wikis which restrict access to private files using img_auth.php, or
+ some similar scheme. All versions of MediaWiki since 1.5 are affected."
+ * Updated standards.
+ * Removed section about upgrading from mediawiki1.x packages
+ in README.Debian since they do not exist in any supported distribution
+ anymore.
+ * Switched php5-gd and imagemagick in Suggests. Closes: #542008
+ * Backported patch from revision 51083 to fix a bug with invalid titles.
+ Closes: #537134
+ * Backported patch from revision 61090 to add a unique guid per RSS
+ feed element.
+ Closes: #383130
+ * Refreshed patches.
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 15 Mar 2010 11:41:07 -0500
+
+mediawiki (1:1.15.1-1) unstable; urgency=low
+
+ * New upstream release.
+ * Ack previous NMU, thanks to Nico Golde for taking care
+ of this.
+
+ -- Romain Beauxis <toots at rastageeks.org> Sun, 09 Aug 2009 10:46:41 -0500
+
+mediawiki (1:1.15.0-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix cross-site scripting in [[Special:Block]]
+ (No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
+
+ -- Nico Golde <nion at debian.org> Sun, 26 Jul 2009 18:11:07 +0200
+
+mediawiki (1:1.15.0-1) unstable; urgency=low
+
+ * New upstream release.
+ * Upstream added support for OASIS documents.
+ Closes: #530328
+ * Refreshed quilt patches
+ * Bumped standards versions to 3.8.2
+ * Bumped compat to 7
+ * Pointed to GPL-2 in debian/copyright
+ * Added php5-sqlite to possible DB backend dependencies.
+ Closes: #501569
+ * Proofread README.Debian, upgrade is documented there.
+ Closes: #520121
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 19 Jun 2009 01:38:50 +0200
+
+mediawiki (1:1.14.0-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fixed issues in the installer:
+ "A number of cross-site scripting (XSS) security vulnerabilities were
+ discovered in the web-based installer (config/index.php).
+ These vulnerabilities all require a live installer once the installer
+ has been used to install a wiki, it is deactivated.
+
+ Note that cross-site scripting vulnerabilities can be used to attack
+ any website in the same cookie domain. So if you have an uninstalled
+ copy of MediaWiki on the same site as an active web service, MediaWiki
+ could be used to attack the active service."
+ Closes: #514547
+ * Fixed typo in README.Debian
+ Closes: #515192
+ * Updated japanese debconf translation, thanks to Hideki Yamane
+ Closes: #510896
+ * Added a file in debian/copyright
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 06 Mar 2009 20:29:17 +0100
+
+mediawiki (1:1.13.3-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
+ "An XSS vulnerability affecting all MediaWiki installations between
+ 1.13.0 and 1.13.2."
+ Closes: #508868
+ * Fix CVE-2008-5250: several local script injection vulnerabilities
+ in MediaWiki:
+ "o A local script injection vulnerability affecting Internet Explorer
+ clients for all MediaWiki installations with uploads enabled.
+ o A local script injection vulnerability affecting clients with SVG
+ scripting capability (such as Firefox 1.5+), for all MediaWiki
+ installations with SVG uploads enabled."
+ Closes: #508869
+ * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
+ feature in MediaWiki:
+ "A CSRF vulnerability affecting the Special:Import feature, for all
+ MediaWiki installations since the feature was introduced in 1.3.0."
+ Closes: #508870
+
+ -- Romain Beauxis <toots at rastageeks.org> Thu, 18 Dec 2008 02:37:58 +0100
+
+mediawiki (1:1.13.2-1) unstable; urgency=low
+
+ * New upstream release
+ * Fix CVE-2008-4408: XSS in mediawiki:
+ "Cross-site scripting (XSS) vulnerability allows remote attackers
+ to inject arbitrary web script or HTML via the useskin parameter
+ to an unspecified component."
+ Closes: #501115
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 11 Oct 2008 15:02:39 +0200
+
+mediawiki (1:1.13.0-2) unstable; urgency=low
+
+ * Removed buggy postgresql patch
+ Closes: #497042
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 30 Aug 2008 14:06:47 +0200
+
+mediawiki (1:1.13.0-1) unstable; urgency=low
+
+ * New upstream release
+ * Fixed watch file. Closes: #490009
+ * Refreshed patches
+ * Bumped standard-version to 3.8.0
+ * Fixed latex-related dependencies in mediawiki-math
+ * Removed obsolete linda override, thanks lintian !
+
+ -- Romain Beauxis <toots at rastageeks.org> Sun, 17 Aug 2008 11:01:43 +0200
+
+mediawiki (1:1.12.0-2) unstable; urgency=low
+
+ * Fixed postgresql dependency
+ Closes: #472987
+ * Added instructions to install and upgrade
+ Closes: #472990, #472831
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:49:15 +0100
+
+mediawiki (1:1.12.0-1) unstable; urgency=low
+
+ * New upstream release
+ * Updated patch for postfix support: dropped what
+ has been implemented upstream
+ * Refreshed other patches, thanks to quilt
+ * Changed postgresql recommends to "postgresql" package
+ Closes: #469582
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 24 Mar 2008 02:20:12 +0100
+
+mediawiki (1:1.11.2-2) unstable; urgency=high
+
+ * Added patch to fix pgsql select, thanks to Marc Dequènes
+ Closes: #469841
+ * Upated README.Debian to mention php5-gd instead of php5-gd2
+ and texlive-latex-base instead to tetex-bin.
+ Closes: #469558
+ * still setting urgency to high since previous upload didn't make it
+ to testing.
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:58:57 +0100
+
+mediawiki (1:1.11.2-1) unstable; urgency=high
+
+ * New upstream release
+ * Security fix:
+ "Possible cross-site information leaks using the callback
+ parameter for JSON-formatted results in the API are prevented by
+ dropping user credentials."
+ * Added informations on LocalSettings.php in README.Debian
+ Closes: #462609
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 03 Mar 2008 13:16:27 +0100
+
+mediawiki (1:1.11.1-1) unstable; urgency=high
+
+ * New upstream release
+ * A potential XSS injection vector affecting
+ Microsoft Internet Explorer users has been
+ closed.
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 26 Jan 2008 02:57:53 +0100
+
+mediawiki (1:1.11.0-4) unstable; urgency=low
+
+ * Really add the patch for #459312
+ * Added also patch to fix #459617
+ Closes: #459617
+ * Merged two previous patches
+
+ -- Romain Beauxis <toots at rastageeks.org> Fri, 18 Jan 2008 16:14:59 +0100
+
+mediawiki (1:1.11.0-3) unstable; urgency=low
+
+ * Really remove debian specific scripts
+ * Backported patch to fix unserialize with postgre
+ Closes: #459312
+ * Added finnish translation of the debconf templates, thanks to Esko
+ Arajärvi. Closes: #456983
+ * Updated standards to 3.7.3 (no changes)
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 07 Jan 2008 15:03:15 +0100
+
+mediawiki (1:1.11.0-2) unstable; urgency=low
+
+ * Initial upload of 1.11.0 to unstable
+
+ -- Romain Beauxis <toots at rastageeks.org> Sat, 03 Nov 2007 16:39:47 +0100
+
+mediawiki (1:1.11.0-1) experimental; urgency=low
+
+ * Removed mediawikiX versioned packages
+ * Updated to mediawiki 1.11
+ * Removed automatic upgrade script
+ * Updated README.Debian (Closes: #442311, #442302)
+ * Changed default upload directory (Closes: #444445)
+
+ -- Romain Beauxis <toots at rastageeks.org> Sun, 21 Oct 2007 20:54:00 +0200
+
+mediawiki (1:1.10) unstable; urgency=low
+
+ * Switched to mediawiki1.10
+ * Mediawiki1.10 recommends mediawiki-math (Closes: #428021)
+
+ -- Romain Beauxis <toots at rastageeks.org> Tue, 10 Jul 2007 19:29:01 +0200
+
+mediawiki (1:1.9) unstable; urgency=low
+
+ * Switched to mediawiki1.9, closes: #392932
+ * Corrected typo in control, closes: #414121
+ * Seperated -math extension to a single package, closes: #401714
+
+ -- Romain Beauxis <toots at rastageeks.org> Thu, 12 Apr 2007 17:02:05 +0200
+
+mediawiki (1:1.7) unstable; urgency=low
+
+ * Initial Release
+
+ -- Romain Beauxis <toots at rastageeks.org> Mon, 6 Nov 2006 15:36:44 +0100
Copied: mediawiki/tags/1:1.15.5-6/debian/patches/CVE-2012-0046.patch (from rev 290, mediawiki/sid-sec/debian/patches/CVE-2012-0046.patch)
===================================================================
--- mediawiki/tags/1:1.15.5-6/debian/patches/CVE-2012-0046.patch (rev 0)
+++ mediawiki/tags/1:1.15.5-6/debian/patches/CVE-2012-0046.patch 2012-01-13 12:13:34 UTC (rev 293)
@@ -0,0 +1,17 @@
+Description: prevent cache pollution exposing previously deleted text to
+ users behind caching proxy
+Author: Tim Starling
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=33117
+Last-Update: 2012-01-12
+
+--- mediawiki-1.15.5.orig/includes/api/ApiQueryRevisions.php
++++ mediawiki-1.15.5/includes/api/ApiQueryRevisions.php
+@@ -113,7 +113,7 @@
+ $difftoRev = Revision::newFromID($params['diffto']);
+ if (!$difftoRev)
+ $this->dieUsageMsg(array('nosuchrevid', $params['diffto']));
+- if (!$difftoRev->userCan(Revision::DELETED_TEXT)) {
++ if ($difftoRev->isDeleted(Revision::DELETED_TEXT)) {
+ $this->setWarning("Couldn't diff to r{$difftoRev->getID()}: content is hidden");
+ $params['diffto'] = null;
+ }
Deleted: mediawiki/tags/1:1.15.5-6/debian/patches/series
===================================================================
--- mediawiki/sid-sec/debian/patches/series 2012-01-11 09:03:51 UTC (rev 289)
+++ mediawiki/tags/1:1.15.5-6/debian/patches/series 2012-01-13 12:13:34 UTC (rev 293)
@@ -1,18 +0,0 @@
-texvc_location.patch
-mimetypes.patch
-debian_specific_config.patch
-detect_invalid_titles.patch
-add_rss_guid.patch
-backup_documentation.patch
-suppress_warnings.patch
-CVE-2011-0003.patch
-fix_datetime.patch
-CVE-2011-0047.patch
-fix_invalid_sql.patch
-CVE-2011-1578.patch
-CVE-2011-1579.patch
-CVE-2011-1580.patch
-CVE-2011-1587.patch
-CVE-2011-4360.patch
-CVE-2011-4361.patch
-khtml_not_ff9.patch
Copied: mediawiki/tags/1:1.15.5-6/debian/patches/series (from rev 290, mediawiki/sid-sec/debian/patches/series)
===================================================================
--- mediawiki/tags/1:1.15.5-6/debian/patches/series (rev 0)
+++ mediawiki/tags/1:1.15.5-6/debian/patches/series 2012-01-13 12:13:34 UTC (rev 293)
@@ -0,0 +1,19 @@
+texvc_location.patch
+mimetypes.patch
+debian_specific_config.patch
+detect_invalid_titles.patch
+add_rss_guid.patch
+backup_documentation.patch
+suppress_warnings.patch
+CVE-2011-0003.patch
+fix_datetime.patch
+CVE-2011-0047.patch
+fix_invalid_sql.patch
+CVE-2011-1578.patch
+CVE-2011-1579.patch
+CVE-2011-1580.patch
+CVE-2011-1587.patch
+CVE-2011-4360.patch
+CVE-2011-4361.patch
+khtml_not_ff9.patch
+CVE-2012-0046.patch
More information about the Pkg-mediawiki-commits
mailing list