Debian Package Tracker

From: Thorsten Glaser <tg@mirbsd.de>
To: <debian-changes@lists.debian.org>
Subject: Accepted mediawiki 1:1.19.14+dfsg-0+deb7u1 (source all)
Date: Tue, 01 Apr 2014 21:17:26 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Fri, 28 Mar 2014 10:36:48 +0100
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.14+dfsg-0+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mediawiki  - website engine for collaborative work
Closes: 706601 716884 719208 729629 742857
Changes: 
 mediawiki (1:1.19.14+dfsg-0+deb7u1) wheezy-security; urgency=high
 .
   * New upstream security fix release (Closes: #742857):
     - (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword
     - (bug 62467) Set a title for the context during import on the cli
     - (bug 61362) Don't find links in the middle of api.php links
     - (bug 60771) disallow iframe and unusual namespaces in SVG
     - (bug 61346) make token comparison use constant time
   * Fix bugs (file permissions; superfluous COPYING files) lintian
     pointed out (backported from sid)
   * Backport debian/rules get-orig-source-*, debian/upstream/signing-key.asc
     and debian/watch changes from sid, to prepare for sid (or experimental)
     switching to MediaWiki 1.23 (in which case further updates for stable
     will need to be made using this SVN branch)
 .
 mediawiki (1:1.19.11+dfsg-0+deb7u1) wheezy-security; urgency=high
 .
   [ Thorsten Glaser ]
   * New upstream security fix release (Closes: #729629, #706601):
     - CVE-2014-1610 (bug 60339) remote code exec in Djvu thumbnailer
     - CVE-2013-4568 (bug 58088) Don't normalize U+FF3C to \ in CSS Checks
     - CVE-2013-6452 (bug 57550) Disallow stylesheets in SVG Uploads
     - CVE-2013-6453 (bug 58553) Return error on invalid XML for SVG Uploads
     - CVE-2013-6454 (bug 58472) Disallow -o-link in styles
     - CVE-2013-6472 (bug 58699) Fix RevDel log entry information leaks
     - CVE-2013-4572 (bug 53032) Don't cache when a call could autocreate
     - CVE-2013-4567 (bug 55332) Vertical tab allows bypassing filters
     - CVE-2013-4568 (bug 55332) "expression" filtering in IE6 bypass
     - SVG script filtering could be bypassed for Chrome and Firefox
       clients by using an encoding that MediaWiki understood, but these
       browsers interpreted as UTF-8. (CVE-2013-2031)
     - Internal review discovered that extensions were not given the
       opportunity to disable a password reset, which could lead to
       circumvention of two-factor authentication (CVE-2013-2032)
     - (and others)
   * Replace trademarked image files by self-drawn Free ones
   * Secure the default images directory (Closes: #716884)
   * Handle /var/lib/mediawiki/extensions/* always as symlinks, for
     both core and extra extensions, with upgrade path (Closes: #719208)
   * Ship files in /etc/mediawiki-extensions/extensions-available/
     for extensions shipped with the mediawiki core
   * Change watch file to track upstream LTS version
   * debian/control: Change VCS-* URLs (unbreak; point to stable)
   * Update copyright file with things noted by Paul Tagliamonte, thanks!
   * Refresh one patch to make it apply cleanly against 1.19.11
 .
   [ Florian Weimer ]
   * Add “Replaces: mediawiki-extensions-confirmedit”
Checksums-Sha1: 
 c2db91f2c15e1a51bcb4d174713abde1114980f3 2188 mediawiki_1.19.14+dfsg-0+deb7u1.dsc
 67861a47e0efa62acef52afa6847801d3902f686 12190640 mediawiki_1.19.14+dfsg.orig.tar.xz
 e2afb0a81af2149755a8007418b4e8a58842940f 63556 mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
 c6e7957555bd63dc3117991d05227862b89a88a9 17894734 mediawiki_1.19.14+dfsg-0+deb7u1_all.deb
Checksums-Sha256: 
 013bc9cd9aa2efcfad9cffe3e1f91778a85d546823b8badf71bbbcf3187a5ab9 2188 mediawiki_1.19.14+dfsg-0+deb7u1.dsc
 01d6a757612728a753522de792187069dd9ebded0066357b0cb0fab517f38d50 12190640 mediawiki_1.19.14+dfsg.orig.tar.xz
 265a8126a217faa3c5eb9b74edebbefc6479bbfa3844e793ea7f7a42729484e3 63556 mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
 e0c4f8f300e441b4565eaa8b84b5d1bb9607229f856a344f88afc84b88ccb674 17894734 mediawiki_1.19.14+dfsg-0+deb7u1_all.deb
Files: 
 c1ce7dbe37b2336b3713f4f3a9512a35 2188 web optional mediawiki_1.19.14+dfsg-0+deb7u1.dsc
 100c399d3701f16e718c42db502d18da 12190640 web optional mediawiki_1.19.14+dfsg.orig.tar.xz
 4d7e77999d9f7f0442cf4cec14ed7a48 63556 web optional mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
 7519221851db2c899d3854fe287d6258 17894734 web optional mediawiki_1.19.14+dfsg-0+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)

iQIcBAEBCQAGBQJTNYT7AAoJEHa1NLLpkAfgIEoQAIQnqBPztnuRv4pBbaKKPm9c
eSRCBvpqlltc5aIfaDPTbCiJ5xiHbg8ZFAWYS3/GWTMwD76z+Vz9gWIuHfD7GoyW
7iMGUazfwUty5dn5ogIeq+txFHZJMgY9UbzP9/VNslV04GOx8S3mkwUqjCou4zHS
bO7VOJSl1u9AZ28SiTomTvS3C+yaMpp97bIJvJXOh+H97P0rNlGHx3k/l1wom5hh
bTcKOUTIHccI0YgDL/n0VB61nI0yBD/UvrabJnvtnxWN03l4as0iQt0SUaVD0mWh
jrFRjyTd1soZAcHQP66JhRafh3cFd7zk3Mn1m3G2A96GGV6hbDcXYmWm5yhc1Gy6
UoMMLormzR5FoNccn/viqWZL/jpQVrn4pjexuvcIKl59AOq5LXyCA4Zbaab+C3VC
Qr578eFKAuidbI6bTX2GQp8ov4ZoE3v0G5IR9G0pbhwxlZ/pFESOSw8DZFSGjNqb
5Oo0shRBClOIV5EWIszN8rQcI5tuBfEeDPR/iFs6I2XCaR1rfpa/jI3moMU+SDnT
wyVHCjw1fPvlRbNi84Th4lu2heyrtxUDjMLkCX+RgHfDPuFQP0vy93ZB0YMraM9s
pd8oi9tjP0u4uQGi1cv9BI8ts3ZafKaPMQeZv7XhP8JdXqWk3B66UtaiNwjBj14E
CJ30i7wDGCSgVQFzOUSR
=mJnl
-----END PGP SIGNATURE-----
News for package mediawiki
