mediawiki (1:1.19.8+dfsg-2.2+dyson1) unstable; urgency=low * Package for Dyson -- Igor Pashev Sat, 21 Dec 2013 23:19:06 +0400 mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high * Non-maintainer upload * Security fixes (Closes: #729629): - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist [CVE-2013-4567, CVE-2013-4568] - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users [CVE-2013-4572] * New Polish debconf translation, thanks to Magdalena Z. Kubot (Closes: #731381) -- David Prévot Sun, 08 Dec 2013 16:13:40 -0400 mediawiki (1:1.19.8+dfsg-2.1) unstable; urgency=low * Provide includes/libs in mediawiki-classes (Closes: #703837) -- David Prévot Wed, 23 Oct 2013 11:29:27 -0400 mediawiki (1:1.19.8+dfsg-2) unstable; urgency=low [ Thorsten Glaser ] * debian/rules: get-orig-source now leaves the repacked origtgz in ./ ipv in ./debian/ according to Policy §4.9 (noticed by Natureshadow) * Add version guards to apache.conf [ Jonathan Wiltshire ] * Update apache.conf for Apache 2.4 syntax changes, and document in debian/NEWS (Closes: #723620, #669832) -- Jonathan Wiltshire Tue, 24 Sep 2013 19:04:42 +0100 mediawiki (1:1.19.8+dfsg-1) unstable; urgency=low * mediawiki-math is now called mediawiki-extensions-math ⇒ update the package relationship fields * Make my self-drawn CC images nicer and more consistent * New upstream security release * Secure the default images directory (Closes: #716884) * Allow PDF upload (Closes: #716957) * Nuke ref to ENOENT dir (Closes: #705107) * Update debian/copyright information * Pull upstream patch to fix variables (Closes: #709943) * Sort patches ASCIIbetically; refresh them against new version * For Apache 2.4, move configuration file (Closes: #669832) -- Thorsten Glaser Thu, 05 Sep 2013 17:07:53 +0200 mediawiki (1:1.19.7+dfsg-1) unstable; urgency=low * New low-impact upstream security release * Refresh patches * Change watch file to track upstream LTS version * Replace trademarked image files by self-drawn Free ones * Fix VCS-* URLs – prodded by lintian from experimental * Policy 3.9.4 with no further changes needed -- Thorsten Glaser Thu, 23 May 2013 11:03:39 +0000 mediawiki (1:1.19.6-1) unstable; urgency=low * New upstream security release (Closes: #706601): - SVG script filtering could be bypassed for Chrome and Firefox clients by using an encoding that MediaWiki understood, but these browsers interpreted as UTF-8. (CVE-2013-2031) - Internal review discovered that extensions were not given the opportunity to disable a password reset, which could lead to circumvention of two-factor authentication (CVE-2013-2032) -- Jonathan Wiltshire Sat, 11 May 2013 16:07:43 +0100 mediawiki (1:1.19.5-1) unstable; urgency=high [ Platonides ] * Update config URL in README.Debian (Closes: #703804) [ Thorsten Glaser ] * Re-add LocalSettings creation snippet for support of the mediawiki-extensions Debian packaging (Closes: #703852) * New upstream security-only release: - (bug 47251) SECURITY: Disable external entities in Import - (bug 46859) SECURITY: Disable external entities in XMLReader - (bug 46084) SECURITY: Sanitize $limitReport before outputting - (bug 43594) Fix notices displayed on PHP 5.4 - (bug 40585) Don't drop 'step="any"' in HTML input fields. * Refresh patches against new upstream code -- Thorsten Glaser Tue, 16 Apr 2013 11:04:05 +0200 mediawiki (1:1.19.4-1) unstable; urgency=high * Urgency high for security fix * New upstream release: - New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. - (bug 44010) Context is passed to UserGetLanguageObject. - The recursion guard on RequestContext::getLanguage() was weakened. - (bug 44135/bug 42441) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST - (bug 43518) API action=unblock should return the user name, not the full user object (Closes: #702305) - Increase timeout values for some tests -- Jonathan Wiltshire Mon, 04 Mar 2013 23:06:30 +0000 mediawiki (1:1.19.3-2) unstable; urgency=low * Add missing changelog entries to 1:1.19.3-1 upload (oops…) * Upstream patch to fix XHTML issue in Special:Upload (BZ#40889) * Upstream patch to fix another MySQLism (BZ#39635) (Closes: #700595) * Update lintian overrides -- Thorsten Glaser Mon, 18 Feb 2013 10:24:08 +0100 mediawiki (1:1.19.3-1) unstable; urgency=high [ Thorsten Glaser ] * Note: these changes were part of this upload, even though they were not detailed in this changelog entry when uploading: * tags must always have an alt attribute * fix DB upgrade FUBAR issue for PostgreSQL (BZ#29635) * allow MySQL users to choose either PHP5 client library (Closes: #689758) [ Dominik George ] * Team upload * New upstream version fixes security issues (Closes: #694998) + Prevent session fixation in Special:UserLogin (CVE-2012-5391) https://bugzilla.wikimedia.org/show_bug.cgi?id=40995 + Prevent linker regex from exceeding PCRE backtrack limit https://bugzilla.wikimedia.org/show_bug.cgi?id=41400 [ Thorsten Glaser ] * Fix spelling error in README.Debian (thanks lintian!) -- Dominik George Wed, 12 Dec 2012 09:44:08 +0100 mediawiki (1:1.19.2-2) unstable; urgency=low * debian/watch: mangle the epoch away so DDPO is green again * Break mw-ext-fckeditor, it doesn’t work with 1.19 (Closes: #689375) -- Thorsten Glaser Tue, 02 Oct 2012 14:09:42 +0200 mediawiki (1:1.19.2-1) unstable; urgency=low [ Thorsten Glaser ] * New upstream: security fixes for CVE-2012-4377, CVE-2012-4378, CVE-2012-4379, CVE-2012-4380, CVE-2012-4381, CVE-2012-4382 (Closes: #686330) * Prevent
without any inside, globally * Fix more cases of not checking $wgHtml5 * MW’s ID (XML) sanitiser is there for a reason, use it! * Prevent
    without any
  • inside in MonoBook * Fix invalid XHTML caused by code not honouring $wgHtml5 * Quell some PHP warnings from sloppy code * Do the wfSuppressWarnings patch used with FusionForge right * Add myself to Uploaders and quieten lintian a bit * Do not replace patched jquery-tablesorter with unpatched one; unbreaks sortable tables (Closes: #687519) * Update versioned Breaks against fusionforge and mw-extensions [ Jonathan Wiltshire ] * Add Recommends on mediawiki-extensions-base and php-wikidiff2 -- Thorsten Glaser Thu, 20 Sep 2012 13:40:12 +0200 mediawiki (1:1.19.1-1) unstable; urgency=low * New upstream bug fix release Closes: #672818, 677895 (CVE-2012-2698) - debian/rules: remove all .gitignore files too, since upstream switched to git VCS * Remove last traces of mediaiki-math binary package * Remove CDBS logic and dependencies and use dh auto-sequencer instead * Depend on debhelper >=9 and use compat level 9; this stops dh_pysupport adding files to the build * Do not run update debconf translations on clean * Disable patch texvc_location.patch; this really belongs in mediawiki-math now and especially considering <1632437115.20120612191230@gmail.com> * Add a versioned Breaks on fusionforge-plugin-mediawiki * Upload to unstable -- Jonathan Wiltshire Mon, 18 Jun 2012 15:25:25 +0100 mediawiki (1:1.19.0-1) experimental; urgency=low * New upstream release * Standards version 3.9.3 (no changes) * Update debian/NEWS version -- Jonathan Wiltshire Mon, 04 Jun 2012 20:14:14 +0100 mediawiki (1:1.18.1-1) experimental; urgency=low * New upstream release (Closes: #613791, #619159, #550940, #460831) * Remove patches integrated upstream in this version * Standards version 3.9.2 * Drop mediawiki-math binary package, it is no longer shipped upstream * Add sqlite3 to Recommends (Closes: #612212) * Use system copies of javascript libraries where available * Document upgrade procedure in debian/NEWS * Debconf translation to Danish (Closes: #627848) -- Jonathan Wiltshire Sun, 15 Jan 2012 00:10:18 +0000 mediawiki (1:1.15.5-10) unstable; urgency=low * Team upload. * Apply SQL fix for schema search paths by Roland Mas (#673125) -- Thorsten Glaser Wed, 30 May 2012 16:50:36 +0200 mediawiki (1:1.15.5-9) unstable; urgency=high * Team upload. * Address MW security release 1.18.1-1 (Closes: #666269) - CVE-2012-1578 MW#34212: doesn’t affect 1.15 - CVE-2012-1579 MW#34907: doesn’t affect 1.15 - CVE-2012-1580 MW#35317: doesn’t affect 1.15 - CVE-2012-1581 MW#35078: fix backported - CVE-2012-1582 MW#35315: fix backported * Apply some lintian cleanup -- Thorsten Glaser Wed, 16 May 2012 15:01:06 +0200 mediawiki (1:1.15.5-8) unstable; urgency=low * Fix reversing IPv4 address for SORBS blacklist; patch from Nye Liu (Closes: #658672) * Backport a method called by CVE-2011-1580.patch (Closes: #658682) * Fix warnings issued by PHP 5.4 (Closes: #661682) * Suggest librsvg-bin (Closes: #644731) * Demote database server to Suggests (Closes: #617561) * Add dansk translation (Closes: #627848) -- Thorsten Glaser Thu, 15 Mar 2012 12:52:09 +0100 mediawiki (1:1.15.5-7) unstable; urgency=high * debian/patches/CVE-2011-4360.patch: remove – the information disclosure does not happen on 1.15 and the patch would not work anyway because the OutputPage object has no setTitle method (this prevents a PHP fatal error when someone has no permissions, instead reverting to the pre-1:1.15.5-4 behaviour of showing a page asking the user to log in) -- Thorsten Glaser Fri, 20 Jan 2012 17:13:28 +0100 mediawiki (1:1.15.5-6) unstable; urgency=low [ Thorsten Glaser ] * debian/patches/khtml_not_ff9.patch: new (Closes: #652948) [ Jonathan Wiltshire ] * debian/patches/CVE-2012-0046.patch: security fix for unintended exposure of hidden content through cache pollution, CVE-2012-0046 (Closes: #655694) -- Jonathan Wiltshire Fri, 13 Jan 2012 09:54:41 +0000 mediawiki (1:1.15.5-5) unstable; urgency=high * Security fixes from upstream: CVE-2011-1578 - XSS for IE <= 6 CVE-2011-1579 - CSS validation error in wikitext parser CVE-2011-1580 - access control checks on transwiki import feature CVE-2011-1587 - fix incomplete patch for CVE-2011-1578 -- Jonathan Wiltshire Sun, 18 Dec 2011 23:48:18 +0000 mediawiki (1:1.15.5-4) unstable; urgency=low [ Thorsten Glaser ] * debian/patches/fix_invalid_sql.patch: new (Closes: #615983) [ Jonathan Wiltshire ] * Security fixes from upstream (Closes: #650434): CVE-2011-4360 - page titles on private wikis could be exposed bypassing different page ids to index.php CVE-2011-4361 - action=ajax requests were dispatched to the relevant function without any read permission checks being done -- Jonathan Wiltshire Wed, 30 Nov 2011 22:42:52 +0000 mediawiki (1:1.15.5-3) unstable; urgency=high [ Thorsten Glaser ] * debian/patches/fix_datetime.patch: new, convert argument into the format expected by other methods, fixes date/time output in e.g. the News/RSS extensions [ Jonathan Wiltshire ] * CVE-2011-0047: Protect against a CSS injection vulnerability (closes: #611787) * Update my email address -- Jonathan Wiltshire Sun, 06 Feb 2011 15:53:48 +0000 mediawiki (1:1.15.5-2) testing-security; urgency=high * CVE-2011-0003: Protect against clickjacking by sending the X-Frame-Options header in all pages (except normal page views and a few selected special pages). Patch as released by upstream -- Jonathan Wiltshire Tue, 04 Jan 2011 22:39:26 +0000 mediawiki (1:1.15.5-1) unstable; urgency=high [ Thorsten Glaser ] * debian/patches/suppress_warnings.patch: new, suppress warnings about session_start() being called twice also in the PHP error log, not just MediaWiki’s, for example run from FusionForge [ Jonathan Wiltshire ] * New upstream security release: - correctly set caching headers to prevent private data leakage (closes: #590660, LP: #610782) - fix XSS vulnerability in profileinfo.php (closes: #590669, LP: #610819) -- Jonathan Wiltshire Wed, 28 Jul 2010 12:23:04 +0100 mediawiki (1:1.15.4-2) unstable; urgency=low [ Thorsten Glaser ] * debian/control: add Vcs-SVN and Vcs-Browser [ Jonathan Wiltshire ] * debian/source/format: Switch to source format 3.0 (quilt) * debian/rules: Drop CDBS quilt logic * debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH, remove the original definition (LP: #406358) * debian/README.source: document use of quilt and format 3.0 (quilt) * New patch backup_documentation.patch improves documentation of maintenance/dumpBackup.php (closes: #572355) * Standards version 3.9.0 (no changes) -- Jonathan Wiltshire Tue, 29 Jun 2010 14:20:35 +0100 mediawiki (1:1.15.4-1) unstable; urgency=high [ Jonathan Wiltshire ] * New upstream security release (closes: #585918). * CVE-2010-1647: Fix a cross-site scripting (XSS) vulnerability which allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer. * CVE-2010-1648: Fix a cross-site request forgery (CSRF) vulnerability in the login interface which allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form. [ Romain Beauxis ] * Put debian's package version in declared version. Should help sysadmins to keep track of installed versions, in particular with regard to security updates. * Added Jonathan Wiltshire to uploaders. * Do not clan math dir if it does not exist (for instance when running clean from SVN). -- Romain Beauxis Mon, 21 Jun 2010 23:41:29 +0200 mediawiki (1:1.15.3-1) unstable; urgency=high * New upstream release. * Fixes security issue: "MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password." -- Romain Beauxis Fri, 16 Apr 2010 14:44:09 -0500 mediawiki (1:1.15.2-1) unstable; urgency=high * New upstream release. * Fixes security issue: "Two security issues were discovered: A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected." * Updated standards. * Removed section about upgrading from mediawiki1.x packages in README.Debian since they do not exist in any supported distribution anymore. * Switched php5-gd and imagemagick in Suggests. Closes: #542008 * Backported patch from revision 51083 to fix a bug with invalid titles. Closes: #537134 * Backported patch from revision 61090 to add a unique guid per RSS feed element. Closes: #383130 * Refreshed patches. -- Romain Beauxis Mon, 15 Mar 2010 11:41:07 -0500 mediawiki (1:1.15.1-1) unstable; urgency=low * New upstream release. * Ack previous NMU, thanks to Nico Golde for taking care of this. -- Romain Beauxis Sun, 09 Aug 2009 10:46:41 -0500 mediawiki (1:1.15.0-1.1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix cross-site scripting in [[Special:Block]] (No CVE id yet; XSS-no-CVE.patch; Closes: #537634). -- Nico Golde Sun, 26 Jul 2009 18:11:07 +0200 mediawiki (1:1.15.0-1) unstable; urgency=low * New upstream release. * Upstream added support for OASIS documents. Closes: #530328 * Refreshed quilt patches * Bumped standards versions to 3.8.2 * Bumped compat to 7 * Pointed to GPL-2 in debian/copyright * Added php5-sqlite to possible DB backend dependencies. Closes: #501569 * Proofread README.Debian, upgrade is documented there. Closes: #520121 -- Romain Beauxis Fri, 19 Jun 2009 01:38:50 +0200 mediawiki (1:1.14.0-1) unstable; urgency=low * New upstream release. * Fixed issues in the installer: "A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer once the installer has been used to install a wiki, it is deactivated. Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service." Closes: #514547 * Fixed typo in README.Debian Closes: #515192 * Updated japanese debconf translation, thanks to Hideki Yamane Closes: #510896 * Added a file in debian/copyright -- Romain Beauxis Fri, 06 Mar 2009 20:29:17 +0100 mediawiki (1:1.13.3-1) unstable; urgency=low * New upstream release. * Fix CVE-2008-5249: XSS vulnerability in MediaWiki: "An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and 1.13.2." Closes: #508868 * Fix CVE-2008-5250: several local script injection vulnerabilities in MediaWiki: "o A local script injection vulnerability affecting Internet Explorer clients for all MediaWiki installations with uploads enabled. o A local script injection vulnerability affecting clients with SVG scripting capability (such as Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled." Closes: #508869 * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import feature in MediaWiki: "A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki installations since the feature was introduced in 1.3.0." Closes: #508870 -- Romain Beauxis Thu, 18 Dec 2008 02:37:58 +0100 mediawiki (1:1.13.2-1) unstable; urgency=low * New upstream release * Fix CVE-2008-4408: XSS in mediawiki: "Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the useskin parameter to an unspecified component." Closes: #501115 -- Romain Beauxis Sat, 11 Oct 2008 15:02:39 +0200 mediawiki (1:1.13.0-2) unstable; urgency=low * Removed buggy postgresql patch Closes: #497042 -- Romain Beauxis Sat, 30 Aug 2008 14:06:47 +0200 mediawiki (1:1.13.0-1) unstable; urgency=low * New upstream release * Fixed watch file. Closes: #490009 * Refreshed patches * Bumped standard-version to 3.8.0 * Fixed latex-related dependencies in mediawiki-math * Removed obsolete linda override, thanks lintian ! -- Romain Beauxis Sun, 17 Aug 2008 11:01:43 +0200 mediawiki (1:1.12.0-2) unstable; urgency=low * Fixed postgresql dependency Closes: #472987 * Added instructions to install and upgrade Closes: #472990, #472831 -- Romain Beauxis Mon, 24 Mar 2008 02:49:15 +0100 mediawiki (1:1.12.0-1) unstable; urgency=low * New upstream release * Updated patch for postfix support: dropped what has been implemented upstream * Refreshed other patches, thanks to quilt * Changed postgresql recommends to "postgresql" package Closes: #469582 -- Romain Beauxis Mon, 24 Mar 2008 02:20:12 +0100 mediawiki (1:1.11.2-2) unstable; urgency=high * Added patch to fix pgsql select, thanks to Marc Dequènes Closes: #469841 * Upated README.Debian to mention php5-gd instead of php5-gd2 and texlive-latex-base instead to tetex-bin. Closes: #469558 * still setting urgency to high since previous upload didn't make it to testing. -- Romain Beauxis Mon, 03 Mar 2008 13:58:57 +0100 mediawiki (1:1.11.2-1) unstable; urgency=high * New upstream release * Security fix: "Possible cross-site information leaks using the callback parameter for JSON-formatted results in the API are prevented by dropping user credentials." * Added informations on LocalSettings.php in README.Debian Closes: #462609 -- Romain Beauxis Mon, 03 Mar 2008 13:16:27 +0100 mediawiki (1:1.11.1-1) unstable; urgency=high * New upstream release * A potential XSS injection vector affecting Microsoft Internet Explorer users has been closed. -- Romain Beauxis Sat, 26 Jan 2008 02:57:53 +0100 mediawiki (1:1.11.0-4) unstable; urgency=low * Really add the patch for #459312 * Added also patch to fix #459617 Closes: #459617 * Merged two previous patches -- Romain Beauxis Fri, 18 Jan 2008 16:14:59 +0100 mediawiki (1:1.11.0-3) unstable; urgency=low * Really remove debian specific scripts * Backported patch to fix unserialize with postgre Closes: #459312 * Added finnish translation of the debconf templates, thanks to Esko Arajärvi. Closes: #456983 * Updated standards to 3.7.3 (no changes) -- Romain Beauxis Mon, 07 Jan 2008 15:03:15 +0100 mediawiki (1:1.11.0-2) unstable; urgency=low * Initial upload of 1.11.0 to unstable -- Romain Beauxis Sat, 03 Nov 2007 16:39:47 +0100 mediawiki (1:1.11.0-1) experimental; urgency=low * Removed mediawikiX versioned packages * Updated to mediawiki 1.11 * Removed automatic upgrade script * Updated README.Debian (Closes: #442311, #442302) * Changed default upload directory (Closes: #444445) -- Romain Beauxis Sun, 21 Oct 2007 20:54:00 +0200 mediawiki (1:1.10) unstable; urgency=low * Switched to mediawiki1.10 * Mediawiki1.10 recommends mediawiki-math (Closes: #428021) -- Romain Beauxis Tue, 10 Jul 2007 19:29:01 +0200 mediawiki (1:1.9) unstable; urgency=low * Switched to mediawiki1.9, closes: #392932 * Corrected typo in control, closes: #414121 * Seperated -math extension to a single package, closes: #401714 -- Romain Beauxis Thu, 12 Apr 2007 17:02:05 +0200 mediawiki (1:1.7) unstable; urgency=low * Initial Release -- Romain Beauxis Mon, 6 Nov 2006 15:36:44 +0100