Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted mediawiki 1:1.35.13-1+deb11u5 (source) into oldoldstable-security
Date: Fri, 31 Oct 2025 07:10:26 +0000
Signed by: Guilhem Moulin <guilhem@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Oct 2025 19:40:01 +0100
Source: mediawiki
Architecture: source
Version: 1:1.35.13-1+deb11u5
Distribution: bullseye-security
Urgency: high
Maintainer: Kunal Mehta <legoktm@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Changes:
 mediawiki (1:1.35.13-1+deb11u5) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * Fix CVE-2025-11173 (OATHAuth extension): Reauth for enabling 2FA can be
     bypassed by submitting a form.
   * Fix CVE-2025-11261: Escape system messages in mw.language.listToText.
   * Fix CVE-2025-61635 (ConfirmEdit extension): ApiFancyCaptchaReload: Reuse
     badcaptcha rate limit.
   * Fix CVE-2025-61638 (parsoid): Sanitize data- attributes.
   * Fix CVE-2025-61639: Use ManualLogEntry::getDeleted in ::getRecentChange.
   * Fix CVE-2025-61640: Parse messages instead of inserting them as HTML.
   * Fix CVE-2025-61641: api: Disable maxsize in QueryAllPages in miser mode.
   * Fix CVE-2025-61643: Don't send suppressed recent changes to RCFeeds.
   * Fix CVE-2025-61646: Prevent leaking hidden usernames in
     Watchlist/RecentChanges.
   * Fix CVE-2025-61653 (TextExtracts extension): Add authorizeRead check for
     extracts endpoint.
   * ConfirmEdit extension: Backport upstream change to avoid double-escaping
     the captcha-edit-fail message via both Html::element and RawMessage.
   * Fix CVE-2025-61655 (VisualEditor extension): Properly escape and parse
     system messages.
   * Fix CVE-2025-61656 (VisualEditor extension): Sanitize attributes unwrapped
     from data-ve-attributes.
Checksums-Sha1:
 efc97f953b2363263eb6fd4487b07468be792eff 2390 mediawiki_1.35.13-1+deb11u5.dsc
 81807cda2f31e979242d86ac491f9ac6da3fbb00 123620 mediawiki_1.35.13-1+deb11u5.debian.tar.xz
 b4ef583d0cf1812397bc13afb5768c980e14cd21 7782 mediawiki_1.35.13-1+deb11u5_amd64.buildinfo
Checksums-Sha256:
 ecfbadfb2b4129adbaecd32a52bc085743b3ae623f7f51f37dfe5b7b577545e9 2390 mediawiki_1.35.13-1+deb11u5.dsc
 9a7f74a746979afb36627e87871657da7ec2b6bc320fb2e42607e360ebeed588 123620 mediawiki_1.35.13-1+deb11u5.debian.tar.xz
 2c1901b32d6350807cd56dd6e9d0f4833f1cb5632d9ba983ebe169f8fb2c60db 7782 mediawiki_1.35.13-1+deb11u5_amd64.buildinfo
Files:
 25ac6a5690f3d308dcea5e375cc582a9 2390 web optional mediawiki_1.35.13-1+deb11u5.dsc
 d619a308234492b5aa420feac0185d49 123620 web optional mediawiki_1.35.13-1+deb11u5.debian.tar.xz
 32d6a9a442e89bf17d3b86af82ae6cc0 7782 web optional mediawiki_1.35.13-1+deb11u5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmkD8DAACgkQ05pJnDwh
pVIecg/7Bz+pfhy3cD9GZv9L1w/GpqfI9KdeBGxeRVrUkUF7WpCfitg0Wm4bShTi
Lwv1kPfcnY60C0ypDSNyzONdorQ+TO5h0aKLukIA//5V9GkFR4Mck/kIDcG7FZAd
QOV80bVRP1oH6xvf1fjSZj975+PDT2/IqJjP9OsPVJCX40pVaOw5jOVQAOzYyX5E
IBvY5lGxqhG0TZEpQAFAv48vm0clX4mklv/xNKzNu8qYQVIiolZhPJNMCapVAkv9
IUxVlaG06E1TGDaRtK1wZn3Ihdj8kcqy5/N3ni7RjhB54sqCMu3FH4aFPrQvzIxm
NOXaZCqxpdgp+TMm5yU78CexbME61Y3khSF4+YafCkLp8wE6CYqGOMeWLRe5wFbK
CQWJdlX7il6D+HSj2fMgiX1Unz0iqJMxoeNkxLPrnmJgmrG1wuSrRhX8uvOZGAMd
iXajbVUupW3xWm8YvuvfWNXJA/nle4pQCHANsDYvPqfmIZXshU5+ebKxhUpsyOMZ
O7vh85DWCEO6iE1fkhg9J6zg+6k6XNZeGmoHCgwlznL1yZPrX8ku2Z0CEQMAryyX
Bs30exJztCJDtfOv83nrE2FDivijNnEBIDQM+x4SnCWX9Tr3rHfrjyKHp/MmPKK8
KRi+476ZW2tInsD7j/b7uuw2efkGGKX0KlZtq0Arw+NRvciuBOk=
=deoT
-----END PGP SIGNATURE-----
News for package mediawiki
