pkgsrc.se | The NetBSD package collection

./www/mediawiki, Free software wiki package originally written for Wikipedia

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2009Q4, Version: 1.15.3, Package name: mediawiki-1.15.3, Maintainer: martti

MediaWiki is free server-based software which is licensed under the GNU
General Public License (GPL). It's designed to be run on a large server
farm for a website that gets millions of hits per day. MediaWiki is an
extremely powerful, scalable software and a feature-rich wiki implementation,
that uses PHP to process and display data stored in its MySQL database.

Required to run:
[databases/php-mysql]

Required to build:
[www/apache22] [lang/perl5]

Package options: mysql

Master sites:

http://download.wikimedia.org/mediawiki/1.15/ (Download)

SHA1: 891bf5fb7479c88fbb4fd155666eafe510b2f92c
RMD160: 77e2d446672ab11832b2f913624d3358a3855651
Filesize: 11217.442 KB

Version history: (Expand)

(2010-04-08) Updated to version: mediawiki-1.15.3
(2010-03-10) Updated to version: mediawiki-1.15.2
(2010-01-15) Package added to pkgsrc.se, version mediawiki-1.15.1 (created)

CVS history: (Expand)

2010-04-07 12:21:11 by Matthias Scheler | Files touched by this commit (2) | Package updated

Log message:
Pullup ticket #3073 - requested by martti
mediawiki: security update

Revisions pulled up:
- www/mediawiki/Makefile		1.11
- www/mediawiki/distinfo		1.7
---
Module Name:	pkgsrc
Committed By:	martti
Date:		Wed Apr  7 05:40:11 UTC 2010

Modified Files:
	pkgsrc/www/mediawiki: Makefile distinfo

Log message:
Updated www/mediawiki to 1.15.3

This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.

MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.

Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.

Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.

For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076

2010-03-09 11:51:52 by Matthias Scheler | Files touched by this commit (2) | Package updated

Log message:
Pullup ticket #3046 - requested by martti
mediawiki: security update

Revisions pulled up:
- www/mediawiki/Makefile		1.10
- www/mediawiki/distinfo		1.6
---
Module Name:	pkgsrc
Committed By:	martti
Date:		Tue Mar  9 05:16:42 UTC 2010

Modified Files:
	pkgsrc/www/mediawiki: Makefile distinfo

Log message:
Updated www/mediawiki to 1.15.2

Two security issues were discovered:

A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.

A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.