mediawiki (1:1.31.16-1+deb10u8) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix CVE-2023-51704: group-*-member messages can result in XSS on Special:log/rights. * Fix CVE-2024-PENDING: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages. -- Guilhem Moulin Sat, 27 Apr 2024 15:06:16 +0200 mediawiki (1:1.31.16-1+deb10u7) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix CVE-2023-3550: Namespaces used in XML files are not validated, so if the instance administrator allows XML file uploads, then a remote attacker with a low-privileged user account can gain unprivileged access. * Fix CVE-2023-45362: diff-multi-sameuser (aka “X intermediate revisions by the same user not shown”) ignores username suppression, which is an information leak. * Fix CVE-2023-45363: denial of service vulnerability (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. -- Guilhem Moulin Tue, 28 Nov 2023 03:35:04 +0100 mediawiki (1:1.31.16-1+deb10u6) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2023-29141: An auto-block can occur for an untrusted X-Forwarded-For header in MediaWiki, a website engine for collaborative work. X-Forwarded-For is not necessarily trustworthy and can specify multiple IP addresses in a single header, all of which are checked for blocks. When a user is autoblocked, the wiki will create an IP block behind-the-scenes for that user without exposing the user's IP on-wiki. However, spoofing XFF would let an attacker guess at the IPs of users who have active autoblocks, since the block message includes the username of the original block target. -- Markus Koschany Tue, 22 Aug 2023 23:58:34 +0200 mediawiki (1:1.31.16-1+deb10u5) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2022-47927: A security issue was discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure when SQLite files are created within a data directory that has weak permissions. -- Markus Koschany Sun, 09 Jul 2023 23:30:03 +0200 mediawiki (1:1.31.16-1+deb10u4) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions * Fix CVE-2022-41765: HTMLUserTextField exposes existence of hidden users -- Markus Koschany Tue, 11 Oct 2022 20:45:03 +0200 mediawiki (1:1.31.16-1+deb10u3) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-44856, CVE-2022-28201, CVE-2022-28202, CVE-2022-28203, CVE-2022-34911 and CVE-2022-34912. * Several security vulnerabilities were discovered in mediawiki, a website engine for collaborative work. Insufficiently escaped input text may allow a malicious user to perform cross-site-scripting (XSS) attacks. -- Markus Koschany Thu, 22 Sep 2022 14:11:17 +0200 mediawiki (1:1.31.16-1+deb10u2) buster-security; urgency=high * Backport fix for CVE-2021-44858. This version is not vulnerable to CVE-2021-44857 nor CVE-2021-45038. -- Kunal Mehta Tue, 14 Dec 2021 18:48:51 -0800 mediawiki (1:1.31.16-1~deb10u1) buster-security; urgency=medium * New upstream version 1.31.16, fixing CVE-2021-35197, CVE-2021-41798, CVE-2021-41799, CVE-2021-41800, CVE-2021-41801. -- Kunal Mehta Thu, 30 Sep 2021 10:28:36 -0700 mediawiki (1:1.31.14-1~deb10u1) buster-security; urgency=medium * New upstream version 1.31.14, fixing CVE-2021-30152, CVE-2021-30154, CVE-2021-30155, CVE-2021-30157, CVE-2021-30158, CVE-2021-30159. This version is not affected by CVE-2021-30153. * The pygments lexers vulnerable to CVE-2021-20270, CVE-2021-27291 were disabled to mitigate the exploit. -- Kunal Mehta Thu, 08 Apr 2021 14:08:21 -0700 mediawiki (1:1.31.12-1~deb10u1) buster-security; urgency=medium * New upstream version 1.31.12, fixing CVE-2020-35475, CVE-2020-35477, CVE-2020-35479, CVE-2020-35480. This version is not affected by CVE-2020-35474 nor CVE-2020-35478. * Respect $wgRedirectOnLogin configuration setting (Closes: #971986). * Flatten footer links without triggering a PHP warning (Closes: #971985). -- Kunal Mehta Thu, 17 Dec 2020 15:30:11 -0800 mediawiki (1:1.31.10-1~deb10u1) buster-security; urgency=medium * New upstream version 1.31.10, fixing CVE-2020-15005, CVE-2020-25812, CVE-2020-25813, CVE-2020-25814, CVE-2020-25827, CVE-2020-25828. CVE-2020-25689 does not affect this package, it requires an additional extension. * Additionally, mitigations for firejail's CVE-2020-17367, CVE-2020-17368 are included as well. -- Kunal Mehta Thu, 24 Sep 2020 15:29:07 -0700 mediawiki (1:1.31.7-1~deb10u1) buster-security; urgency=medium * New upstream version 1.31.7, fixing CVE-2020-10960. CVE-2020-10959 does not affect this version of MediaWiki. * A hardening fix was included for the OATHAuth extension to limit access of user-controlled JavaScript. -- Kunal Mehta Thu, 26 Mar 2020 14:59:51 -0700 mediawiki (1:1.31.6-1~deb10u1) buster-security; urgency=medium * New upstream version 1.31.6 (security release), fixing CVE-2019-19709. -- Kunal Mehta Thu, 19 Dec 2019 13:03:58 -0800 mediawiki (1:1.31.4-1~deb10u1) buster-security; urgency=medium * New upstream version 1.31.4 (security release), fixing CVE-2019-16738. Add an additional patch, already merged upstream, to fix a fatal error caused by the upstream security patch. -- Kunal Mehta Fri, 11 Oct 2019 14:59:46 -0700 mediawiki (1:1.31.2-1) unstable; urgency=medium [ Kunal Mehta ] * New upstream version 1.31.2 (security release), fixing CVE-2019-12466, CVE-2019-12467, CVE-2019-12468, CVE-2019-12469, CVE-2019-12470, CVE-2019-12471, CVE-2019-12472, CVE-2019-12473, CVE-2019-12474. The bundled jQuery was also updated, fixing CVE-2019-11358. * Fix regex that was breaking file uploads in PHP 7.3 (Closes: #928716). * Sync upstream/signing-key.asc with mediawiki.org. * Drop patch merged upstream. * Revert "Temporarily add allow-stderr restriction to autopkgtests", as it was fixed upstream. [ Mark A. Hershberger ] * Fix indentation in README.Debian -- Kunal Mehta Wed, 05 Jun 2019 22:40:28 -0400 mediawiki (1:1.31.1-4) unstable; urgency=medium * Update my email address * Temporarily add allow-stderr restriction to autopkgtests (Closes: #911829) -- Kunal Mehta Thu, 25 Oct 2018 23:19:40 -0700 mediawiki (1:1.31.1-3) unstable; urgency=medium * Document removal of CologneBlue and Modern in NEWS (Closes: #909589) * Document filesystem structure in README.Debian -- Kunal Mehta Wed, 26 Sep 2018 20:41:24 -0700 mediawiki (1:1.31.1-2) unstable; urgency=medium * Fix SQLite autopkgtests. * Remove bogus version dependency upon php-common. * Fix some package-contains-documentation-outside-usr-share-doc issues. -- Kunal Mehta Sat, 22 Sep 2018 16:16:02 -0700 mediawiki (1:1.31.1-1) unstable; urgency=medium * New upstream version 1.31.1, including fixes for CVE-2018-0503, CVE-2018-0505, CVE-2018-0504. * Use PlatformSettings.php instead of LocalSettingsGenerator, see NEWS for details on how to migrate. * Wrap $wgFooterIcons custom config in an $wgExtensionFunctions, so the resources path is read after config. (Closes: #863332) * SyntaxHighlight extension now uses Python 3. -- Kunal Mehta Fri, 21 Sep 2018 23:13:24 -0700 mediawiki (1:1.30.0-1) unstable; urgency=medium * New upstream version 1.30.0 * Update Vcs-Browser to use Gerrit/Gitiles as repository viewer * Update d/watch for 1.30 * Update d/copyright for 1.30 * Rebase patches, dropping php-jwt-fix-shebang.diff * Don't try to install any *.phtml * Drop Suggests on hhvm * Suppress and fix some lintian issues * Refer to newly available `/usr/share/common-licenses/CC0-1.0` * Standards-Version: 4.1.4 * Update mediawiki.NEWS for 1.30 release * Install composer.json to avoid update.php warning -- Kunal Mehta Thu, 12 Apr 2018 21:26:19 -0700 mediawiki (1:1.27.4-3) unstable; urgency=medium * Add basic tests via autopkgtest * Document mediawiki-jobrunner systemd unit in README.Debian -- Kunal Mehta Sun, 03 Dec 2017 00:20:33 -0800 mediawiki (1:1.27.4-2) unstable; urgency=medium * Bump Standards-Version to 4.1.1 * Set Rules-Requires-Root: no * Remove unused lintian overrides * Upgrade php-apcu to a Recommends * Use debhelper compat 10 * Add a systemd unit to run runJobs.php as a service * Get rid of unnecessary dh_installdeb override * Remove dead code to mess with $wgVersion * Synchronise upstream/signing-key.asc * Remove broken ConfirmEdit/Asirra.php & Vector/Vector.php symlinks (Closes: #857773) * Document descriptions and forwarded status for all patches * Remove unused GPL-3.0 paragraph from debian/copyright * Override composer-package-without-pkg-php-tools-builddep lintian warning -- Kunal Mehta Thu, 23 Nov 2017 01:22:51 -0800 mediawiki (1:1.27.4-1) unstable; urgency=medium * Imported Upstream version 1.27.4 (security release), fixing CVE-2017-8809, CVE-2017-8810, CVE-2017-8808, CVE-2017-8811, CVE-2017-8812, CVE-2017-8814, CVE-2017-8815. * Users who used the default configuration should not be affected by CVE-2017-9841, but an extra .htaccess file will restrict web access to the vendor/ directory. -- Kunal Mehta Tue, 14 Nov 2017 15:52:47 -0800 mediawiki (1:1.27.3-1) unstable; urgency=medium * Imported Upstream version 1.27.3 (security release), that actually contains the fix for CVE-2017-0372 (Closes: #861585) -- Kunal Mehta Mon, 01 May 2017 13:20:11 -0700 mediawiki (1:1.27.2-1) unstable; urgency=medium * Improve NEWS file (Closes: #852862, #854352) * Imported Upstream version 1.27.2 (security release), fixing CVE-2017-0363, CVE-2017-0364, CVE-2017-0365, CVE-2017-0361, CVE-2017-0362, CVE-2017-0368, CVE-2017-0366, CVE-2017-0370, CVE-2017-0369, CVE-2017-0367 -- Kunal Mehta Thu, 06 Apr 2017 14:04:24 -0700 mediawiki (1:1.27.1-3) unstable; urgency=medium * Ensure mediawiki depends upon the same version of mediawiki-classes * Add powered by Debian icon in footer * Add NEWS for major version upgrade (Closes: #838965) * Add README for mediawiki-classes * Add RELEASE-NOTES-* as documentation for mediawiki * Recommend default-mysql-server | virtual-mysql-server instead of just mysql-server (Closes: #843994, #848441) * Use bundled jQuery (version 1) instead of Debian's jQuery, which is now the incompatible version 3 * Add Provides for extensions now included in this one (Closes: #845281) -- Kunal Mehta Tue, 13 Sep 2016 04:17:42 -0700 mediawiki (1:1.27.1-2) unstable; urgency=high * Add missing php-xml dependency (Closes: #835912) -- Kunal Mehta Mon, 29 Aug 2016 20:44:17 -0700 mediawiki (1:1.27.1-1) unstable; urgency=medium * Add gbp.conf for git-buildpackage * Improve Breaks/Replaces for mediawiki-extensions-* packages (Closes: #831227) * Update apache config for mod_php7 * Don't add custom PHP session configuration (Closes: #831874) * Imported Upstream version 1.27.1 (security release), fixing CVE-2016-6335, CVE-2016-6334, CVE-2016-6333, CVE-2016-6333, CVE-2016-6336, CVE-2016-6332, CVE-2016-6332, CVE-2016-6331, CVE-2016-6337 -- Kunal Mehta Mon, 22 Aug 2016 20:08:40 -0700 mediawiki (1:1.27.0-1) unstable; urgency=medium * New upstream release * Update dependencies to be PHP version agnostic * Switch to new 1.27 MediaWiki Installer overrides system, drop old patches * Local patch to remove newline before shebang in php-jwt/run-tests.sh * Local patch to fix pear/mail_mime/scripts/phail.php shebang * Remove permission fixes that were addressed upstream, add new ones * Properly override source-is-missing lintian warning * Drop AdminSettings.php support * Add php-curl, php-intl, and php-wikidiff2 as Recommends * Add python as recommended for SyntaxHighlighting (via pygments) * Remove unnecessary Build-Depends packages * Update watch file for 1.27 * Standards version 3.9.8 * Include serialized/ folder in install, MediaWiki now needs it at runtime * Rewrite and simplify README -- Kunal Mehta Thu, 30 Jun 2016 22:48:23 +0000 mediawiki (1:1.25.5-1) unstable; urgency=medium * Upgraded to new upstream release * Remove unneeded patches * Remove redrawn CC images; images provided by upstream are free * Fixed lintian warnings -- Kunal Mehta Sun, 09 Aug 2015 23:49:36 +0000 mediawiki (1:1.19.20+dfsg-2.3) unstable; urgency=high * Non-maintainer upload. * Add patch fixing several security issues: - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. - (bug T88310) SECURITY: Always expand xml entities when checking SVG's. - (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. - (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview. - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy. -- Thijs Kinkhorst Mon, 06 Apr 2015 16:53:54 +0000 mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium * Non-maintainer upload. * Add patch fixing T76686: thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. -- Sebastien Delafond Sun, 21 Dec 2014 13:11:10 +0100 mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium * Non-maintainer upload. * CVE-2014-9277: The mangling in OutputHandler.php poses a potentially severe security problem for API clients written in PHP, in that format=php is affected (Closes: #772764). -- Sebastien Delafond Sun, 14 Dec 2014 18:23:47 +0100 mediawiki (1:1.19.20+dfsg-2) unstable; urgency=low * Team upload. * Remove myself from Uploaders. -- Thorsten Glaser Tue, 07 Oct 2014 18:13:52 +0000 mediawiki (1:1.19.20+dfsg-1) unstable; urgency=medium * Make debian/rules get-orig-source-tg call uscan automatically * New upstream security release: - (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance. -- Thorsten Glaser Thu, 02 Oct 2014 10:50:16 +0200 mediawiki (1:1.19.19+dfsg-1) unstable; urgency=medium [ Mert Dirik ] * Update turkish Debconf translation (Closes: #759878) [ Thorsten Glaser ] * Remove Romain Beauxis’ bouncing eMail address * Acknowledge NMU (1:1.19.18+dfsg-0.1) – thanks! * New upstream security and maintenance release: - (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter