- Committer: Bazaar Package Importer
- Date: 2009-02-01 08:53:13 UTC
- Revision ID: james.westby@ubuntu.com-20090201085313-7p0thizuv91oahlr
* SECURITY UPDATE:
- CVE-2008-5249
- CVE-2008-5250
- CVE-2008-5252
- other security-related problems (see full patch description).
- patch taken directly from Debian
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508870
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508869
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
* debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
- Fixed output escaping for reporting of non-MediaWiki exceptions.
Potential XSS if an extension throws one of these with user input.
- Avoid fatal error in profileinfo.php when not configured.
- Fixed CSRF vulnerability in Special:Import. Fixed input validation in
transwiki import feature.
- Add a .htaccess to deleted images directory for additional protection
against exposure of deleted files with known SHA-1 hashes on default
installations.
- Fixed XSS vulnerability for Internet Explorer clients, via file uploads
which are interpreted by IE as HTML.
- Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
uploads are enabled. Firefox 1.5+ is affected.
- Avoid streaming uploaded files to the user via index.php. This allows
security-conscious users to serve uploaded files via a different domain,
and thus client-side scripts executed from that domain cannot access the
login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
- When streaming files via index.php, use the MIME type detected from the
file extension, not from the data. This reduces the XSS attack surface.
- Blacklist redirects via Special:Filepath. Such redirects exacerbate any
XSS vulnerabilities involving uploads of files containing scripts.
- CVE-2008-5249
- CVE-2008-5250
- CVE-2008-5252
- other security-related problems (see full patch description).
- patch taken directly from Debian
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508870
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508869
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
* debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
- Fixed output escaping for reporting of non-MediaWiki exceptions.
Potential XSS if an extension throws one of these with user input.
- Avoid fatal error in profileinfo.php when not configured.
- Fixed CSRF vulnerability in Special:Import. Fixed input validation in
transwiki import feature.
- Add a .htaccess to deleted images directory for additional protection
against exposure of deleted files with known SHA-1 hashes on default
installations.
- Fixed XSS vulnerability for Internet Explorer clients, via file uploads
which are interpreted by IE as HTML.
- Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
uploads are enabled. Firefox 1.5+ is affected.
- Avoid streaming uploaded files to the user via index.php. This allows
security-conscious users to serve uploaded files via a different domain,
and thus client-side scripts executed from that domain cannot access the
login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
- When streaming files via index.php, use the MIME type detected from the
file extension, not from the data. This reduces the XSS attack surface.
- Blacklist redirects via Special:Filepath. Such redirects exacerbate any
XSS vulnerabilities involving uploads of files containing scripts.
| Filename | Latest Rev | Last Changed | Committer | Comment | Size | ||
|---|---|---|---|---|---|---|---|
 .. |
|||||||
bin
|
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 |
|
||
|
config
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
debian
|
8 | 17 years ago | Bazaar Package Importer | Initial Release |
|
||
|
docs
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
extensions
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
images
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
includes
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
languages
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
locale
|
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 |
|
||
|
maintenance
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
math
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
serialized
|
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 |
|
||
|
skins
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
|
t
|
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 |
|
||
|
tests
|
1 | 18 years ago | Bazaar Package Importer | Import upstream version 1.4.10 |
|
||
AdminSettings.sample |
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 | 825 bytes |
|
|
|
api.php |
1.1.6 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.1 | 2.8 KB |
|
|
|
api.php5 |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 25 bytes |
|
|
|
COPYING |
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 | 17.5 KB |
|
|
|
FAQ |
1.1.6 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.1 | 164 bytes |
|
|
|
HISTORY |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 261 KB |
|
|
|
img_auth.php |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 2.4 KB |
|
|
|
img_auth.php5 |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 31 bytes |
|
|
|
index.php |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 3.1 KB |
|
|
|
index.php5 |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 28 bytes |
|
|
|
INSTALL |
1.1.6 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.1 | 3.8 KB |
|
|
|
install-utils.inc |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 3.6 KB |
|
|
|
Makefile |
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 | 569 bytes |
|
|
|
opensearch_desc.php |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 1.4 KB |
|
|
|
opensearch_desc.php5 |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 39 bytes |
|
|
|
profileinfo.php |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 6.4 KB |
|
|
|
README |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 3.4 KB |
|
|
|
redirect.php |
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 | 289 bytes |
|
|
|
redirect.php5 |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 31 bytes |
|
|
|
redirect.phtml |
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 | 91 bytes |
|
|
|
RELEASE-NOTES |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 38.3 KB |
|
|
|
StartProfiler.php |
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 | 603 bytes |
|
|
|
Test.php |
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 | 12.5 KB |
|
|
|
thumb.php |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 3.4 KB |
|
|
|
thumb.php5 |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 29 bytes |
|
|
|
trackback.php |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 1.3 KB |
|
|
|
UPGRADE |
1.1.8 | 16 years ago | Bazaar Package Importer | Import upstream version 1.12.0 | 12.8 KB |
|
|
|
wiki.phtml |
1.1.5 | 16 years ago | Bazaar Package Importer | Import upstream version 1.11.0 | 88 bytes |
|
|