Package: mediawiki Version: 1:1.19.20+dfsg-2.1 Severity: important Tags: upstream patch
>From upstream bug T76686 (still not public): thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. The upstream patch fixing this is at https://github.com/wikimedia/mediawiki/commit/fdd3f464ef9aa7f3276a2a8dddc85e3769cfda83, and I have uploaded 1:1.19.20+dfsg-2.2 to DELAYED/2, that includes it. The corresponding debdiff is included at the end of this email. Cheers, --Seb -- System Information: Debian Release: 7.7 APT prefers stable APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500, 'oldstable'), (1, 'unstable'), (1, 'testing') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org