Subject: CVS commit: [pkgsrc-2008Q4] pkgsrc/www/mediawiki
From: Matthias Scheler
Date: 2009-02-07 20:56:33
Message id: 20090207195633.4C5A8175D0@cvs.netbsd.org

Log Message:
Pullup ticket #2690 - requested by martti
mediawiki: security update

Revisions pulled up:
- www/mediawiki/Makefile			1.4
- www/mediawiki/PLIST				1.3
- www/mediawiki/distinfo			1.3
---
Module Name:	pkgsrc
Committed By:	martti
Date:		Sat Feb  7 11:09:37 UTC 2009

Modified Files:
	pkgsrc/www/mediawiki: Makefile PLIST distinfo

Log Message:
Updated www/mediawiki to 1.13.4

A number of cross-site scripting (XSS) security vulnerabilities were
discovered in the web-based installer (config/index.php). These
vulnerabilities all require a live installer -- once the installer has been
used to install a wiki, it is deactivated.

Note that cross-site scripting vulnerabilities can be used to attack any
website in the same cookie domain. So if you have an uninstalled copy of
MediaWiki on the same site as an active web service, MediaWiki could be used
to attack the active service.  If you are hosting an old copy of MediaWiki
that you have never installed, we advise you to remove it from the web.

Files:
RevisionActionfile
1.3.2.1modifypkgsrc/www/mediawiki/Makefile
1.2.2.1modifypkgsrc/www/mediawiki/PLIST
1.2.2.1modifypkgsrc/www/mediawiki/distinfo