Navigation:
Browse pkgsrc
(this page) 2010-04-07 12:21:11 by Matthias Scheler | Files touched by this commit (2) |  |
Log message: Pullup ticket #3073 - requested by martti mediawiki: security update Revisions pulled up: - www/mediawiki/Makefile 1.11 - www/mediawiki/distinfo 1.7 --- Module Name: pkgsrc Committed By: martti Date: Wed Apr 7 05:40:11 UTC 2010 Modified Files: pkgsrc/www/mediawiki: Makefile distinfo Log message: Updated www/mediawiki to 1.15.3 This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki 1.16.0beta2. MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password. Even without user scripting, this attack is a potential nuisance, and so all public wikis should be upgraded if possible. Our fix includes a breaking change to the API login action. Any clients using it will need to be updated. We apologise for making such a disruptive change in a minor release, but we feel that security is paramount. For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 |
| 2010-03-09 11:51:52 by Matthias Scheler | Files touched by this commit (2) | |
Log message: Pullup ticket #3046 - requested by martti mediawiki: security update Revisions pulled up: - www/mediawiki/Makefile 1.10 - www/mediawiki/distinfo 1.6 --- Module Name: pkgsrc Committed By: martti Date: Tue Mar 9 05:16:42 UTC 2010 Modified Files: pkgsrc/www/mediawiki: Makefile distinfo Log message: Updated www/mediawiki to 1.15.2 Two security issues were discovered: A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected. Deleting thumb.php is a suitable workaround for private wikis which do not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl']. Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the patch below to whatever version of MediaWiki you are using. |
New packages: