Bug#716884: marked as done (mediawiki: /usr/share/mediawiki/images points to /var/lib/mediawiki/images without security in mediawiki.conf)

Thu, 05 Sep 2013 09:17:25 -0700 

Your message dated Thu, 05 Sep 2013 15:49:02 +0000
with message-id <[email protected]>
and subject line Bug#716884: fixed in mediawiki 1:1.19.8+dfsg-1
has caused the Debian Bug report #716884,
regarding mediawiki: /usr/share/mediawiki/images points to 
/var/lib/mediawiki/images without security in mediawiki.conf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
716884: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716884
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: mediawiki
Version: 1:1.19.5-1
Severity: normal

Dear Maintainer,

MediaWiki config reports a vulnerability for /usr/share/mediawiki/images,
the default upload directory. The file /etc/mediawiki/apache.conf has
settings for /var/lib/mediawiki/upload, which doesn't exist, but does
not have settings for /var/lib/mediawiki/images.

Adding the following allowed MediaWiki to proceed without noting a
vulnerability:

<Directory /var/lib/mediawiki/images>
        Options -FollowSymLinks
        AllowOverride None
        php_admin_flag engine off
</Directory>

-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mediawiki depends on:
ii  apache2                      2.2.22-13
ii  apache2-mpm-prefork [httpd]  2.2.22-13
ii  debconf [debconf-2.0]        1.5.49
ii  libjs-jquery                 1.7.2+dfsg-1
ii  libjs-jquery-cookie          6-1
ii  libjs-jquery-form            6-1
ii  libjs-jquery-tipsy           6-1
ii  mime-support                 3.52-1
ii  php5                         5.4.4-14+deb7u2
ii  php5-mysql                   5.4.4-14+deb7u2

Versions of packages mediawiki recommends:
ii  mediawiki-extensions-base  2.11
ii  mysql-server               5.5.31+dfsg-0+wheezy1
ii  php-wikidiff2              0.0.1+svn109581-1
ii  php5-cli                   5.4.4-14+deb7u2
ii  python                     2.7.3-4

Versions of packages mediawiki suggests:
pn  clamav          <none>
ii  imagemagick     8:6.7.7.10-5
pn  mediawiki-math  <none>
pn  memcached       <none>

-- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]

-- debconf information:
* mediawiki/webserver: apache2

--- End Message ---
--- Begin Message --- 
Source: mediawiki
Source-Version: 1:1.19.8+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <[email protected]> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Thu, 05 Sep 2013 17:07:53 +0200
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.8+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team 
<[email protected]>
Changed-By: Thorsten Glaser <[email protected]>
Description: 
 mediawiki  - website engine for collaborative work
Closes: 669832 705107 709943 716884 716957
Changes: 
 mediawiki (1:1.19.8+dfsg-1) unstable; urgency=low
 .
   * mediawiki-math is now called mediawiki-extensions-math
     ⇒ update the package relationship fields
   * Make my self-drawn CC images nicer and more consistent
   * New upstream security release
   * Secure the default images directory (Closes: #716884)
   * Allow PDF upload (Closes: #716957)
   * Nuke ref to ENOENT dir (Closes: #705107)
   * Update debian/copyright information
   * Pull upstream patch to fix variables (Closes: #709943)
   * Sort patches ASCIIbetically; refresh them against new version
   * For Apache 2.4, move configuration file (Closes: #669832)
Checksums-Sha1: 
 9ea030740e6dffa5c5aa81f2c5b337b74e52c085 2133 mediawiki_1.19.8+dfsg-1.dsc
 2b762e4802a96b4ad441ae14a12abf7a51609872 12084316 
mediawiki_1.19.8+dfsg.orig.tar.xz
 15c6dffa766228e5a7a5a0f3168b848216e7bf6b 50637 
mediawiki_1.19.8+dfsg-1.debian.tar.gz
 91a17ac6c33ec8ce2a7b88411a717376f69d27ab 11718012 
mediawiki_1.19.8+dfsg-1_all.deb
Checksums-Sha256: 
 b20c01b8aa830e5e3eb0c1f51a5fddba29ab1f7be065e2b23000bd28c4606d8e 2133 
mediawiki_1.19.8+dfsg-1.dsc
 c10f0ddede992b76c219c428fc00e3bb851ed6b14c3b29030f29a6685eb29909 12084316 
mediawiki_1.19.8+dfsg.orig.tar.xz
 545a318a29fe19aa41c77144b57f3ec079f47cad645e8b1d1f0b189354103edb 50637 
mediawiki_1.19.8+dfsg-1.debian.tar.gz
 bd03bbc792f2f461eb9b2020b595b0ce7191caae13d037ee65caaea68b7d0029 11718012 
mediawiki_1.19.8+dfsg-1_all.deb
Files: 
 759eda14a85f3663f74219ccbde0ca26 2133 web optional mediawiki_1.19.8+dfsg-1.dsc
 67a0c29474102bd3f791b38da089745e 12084316 web optional 
mediawiki_1.19.8+dfsg.orig.tar.xz
 82e423054145d10a91a260ae3ced81e5 50637 web optional 
mediawiki_1.19.8+dfsg-1.debian.tar.gz
 f27510a1472870e946f834d2b418d7da 11718012 web optional 
mediawiki_1.19.8+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)

iQIcBAEBCQAGBQJSKKCMAAoJEHa1NLLpkAfgVDIP/2qy/jEr2ChHlAntTHEkMopH
8nwwq3pR2bL++1SrxvPp08RXOBQMhSsDaBhWJc2AxqFLpi/QR2x3LH37ARggLf7f
0IUa1f4YhM/JStCjiMEMpaiqonLMDZA6hPhEF5j8RzhY/CIdSSOcCgjTWJFSuXkA
hy6d0IjFfxf2+6SDnygMkw5juld1/VaYJ9NK7D7wbPBWUqgTKn4CM3CFElufbU0t
R1d9ajWmXPWrxtx5SlFoFImKxPSUsh0IbIesYg446HIzBTrY5HWK91yV1AJgmwe8
7NvUbGAOJufgRaWHQHxF71sLEwma0FZSEh6NKIsUJInxHIh6lh3lzSzzZBQc2BFM
7TwrTU09bvh6emrzSF8zirW2h/nc19VsPB+tsU8ijYwOTf+NXMlsUxKWXM1JhDR0
+Zyey3BmTGmWnt/fRwTZAW1LcX0eVVTs0VuTDL4vdFM4AOIEukpCqPX5JNBhjv4e
juiPuq7Ago0M9dYLSpp32C3Nxg5t2agXZmGPw9m3ZlQcBxyGUPa7cHHDeSUeFUR9
Smmw3B7TykKgRh7KiT2lwvXFs1QyD7sMfWWCBD5VKdRudSB2iBhhq6vJ23cWY8/r
qxDrT97SNy77CTluM+aF9WF0gVwitaSOqHcdVpsDr1ZRSWPAGV22lpFq/OUtBptQ
b9eSTjYw59vaiykNDZnT
=Y9+e
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to