-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 18 Jan 2009 11:54:02 +0100 Source: mediawiki Binary: mediawiki mediawiki-math Architecture: source all amd64 Version: 1:1.12.0-2lenny2 Distribution: testing-security Urgency: high Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org> Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it> Description: mediawiki - website engine for collaborative work mediawiki-math - math rendering plugin for MediaWiki Closes: 508869 508870 Changes: mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high . * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252 * debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch: - Fixed output escaping for reporting of non-MediaWiki exceptions. Potential XSS if an extension throws one of these with user input. - Avoid fatal error in profileinfo.php when not configured. - Fixed CSRF vulnerability in Special:Import. Fixed input validation in transwiki import feature. - Add a .htaccess to deleted images directory for additional protection against exposure of deleted files with known SHA-1 hashes on default installations. - Fixed XSS vulnerability for Internet Explorer clients, via file uploads which are interpreted by IE as HTML. - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG uploads are enabled. Firefox 1.5+ is affected. - Avoid streaming uploaded files to the user via index.php. This allows security-conscious users to serve uploaded files via a different domain, and thus client-side scripts executed from that domain cannot access the login cookies. Affects Special:Undelete, img_auth.php and thumb.php. - When streaming files via index.php, use the MIME type detected from the file extension, not from the data. This reduces the XSS attack surface. - Blacklist redirects via Special:Filepath. Such redirects exacerbate any XSS vulnerabilities involving uploads of files containing scripts. Closes: #508869, #508870 Checksums-Sha1: 512bf6e8fca53d500bf05830f63f56c8d294f50c 1256 mediawiki_1.12.0-2lenny2.dsc e88ac10275b63597d0f458d410bacebfb4e4011c 44723 mediawiki_1.12.0-2lenny2.diff.gz 001451c718bd81e0919f22629cb576c070cc84a7 7221734 mediawiki_1.12.0-2lenny2_all.deb 1b548cb4268b1a40a6450d9eb2872a693defbd97 156542 mediawiki-math_1.12.0-2lenny2_amd64.deb Checksums-Sha256: ebbb4e60c1a3e9a654497e8d4e52ebdbac798db2bc9bd6203a5f3cd5e7db52eb 1256 mediawiki_1.12.0-2lenny2.dsc ead873972b16a61e4ed3bf8a3f2a91322322b8ac0215ad5e1ba79e92690c4b9a 44723 mediawiki_1.12.0-2lenny2.diff.gz af01d0399306308938d8d3b02bc193d4544e56f92db5f60dec11b51c472a3211 7221734 mediawiki_1.12.0-2lenny2_all.deb 6b833ad770dae6f5bd05fcfd3ad36d6aa721decae8b09a6a26fb4d42d07d305e 156542 mediawiki-math_1.12.0-2lenny2_amd64.deb Files: 591bf4d91a70412b0d39eec68db0d54b 1256 web optional mediawiki_1.12.0-2lenny2.dsc e6458248327c0bba19c8424eae912d13 44723 web optional mediawiki_1.12.0-2lenny2.diff.gz b0870767c2a8e11928f1064eb17bef43 7221734 web optional mediawiki_1.12.0-2lenny2_all.deb 6cbeb87e190429648e95cadb0fcc0b40 156542 web optional mediawiki-math_1.12.0-2lenny2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkl8UzwACgkQHYflSXNkfP/dKwCdHTXstaOGpEedqa836BfUxKFS vFYAni3GafeEy8gPtsa/adkMir9yaKu1 =O3Hj -----END PGP SIGNATURE----- Accepted: mediawiki-math_1.12.0-2lenny2_amd64.deb to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny2_amd64.deb mediawiki_1.12.0-2lenny2.diff.gz to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2.diff.gz mediawiki_1.12.0-2lenny2.dsc to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2.dsc mediawiki_1.12.0-2lenny2_all.deb to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2_all.deb