Bug#729629: marked as done (mediawiki: CVE-2013-4567, CVE-2013-4568 and CVE-2013-4572)

Tue, 31 Dec 2013 03:51:54 -0800 

Your message dated Tue, 31 Dec 2013 11:49:51 +0000
with message-id <e1vxxpx-0007p5...@franck.debian.org>
and subject line Bug#729629: fixed in mediawiki 1:1.19.9+dfsg-1
has caused the Debian Bug report #729629,
regarding mediawiki: CVE-2013-4567, CVE-2013-4568 and CVE-2013-4572
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
729629: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729629
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: mediawiki
Severity: grave
Tags: security upstream patch fixed-upstream

Hi

To have this issues tracked: Upstream announced new security releases
for mediawiki:

http://lists.wikimedia.org/pipermail/wikitech-l/2013-November/073115.html

for mediawiki these are:

* Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
(CVE-2013-4567, CVE-2013-4568).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55332>

* Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers when
a user was autocreated, causing the user's session cookies to be cached,
and returned to other users (CVE-2013-4572).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53032>

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: mediawiki
Source-Version: 1:1.19.9+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <t...@mirbsd.de> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Tue, 31 Dec 2013 12:18:56 +0100
Source: mediawiki
Binary: mediawiki mediawiki-classes
Architecture: source all
Version: 1:1.19.9+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team 
<pkg-mediawiki-de...@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <t...@mirbsd.de>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-classes - website engine for collaborative work - standalone classes
Closes: 703837 719208 725162 729629 731381
Changes: 
 mediawiki (1:1.19.9+dfsg-1) unstable; urgency=medium
 .
   [ Jonathan Wiltshire ]
   * Re-work debian/rule:get-orig-source:
     - use more conventional tools
     - improve legibility
     - safer use of temporary directories
   * Guard against missing mod_php5 in Apache configuration
     (Closes: #725162)
 .
   [ Thorsten Glaser ]
   * Refresh patches against 1.19.9
   * Handle /var/lib/mediawiki/extensions/* always as symlinks, for
     both core and extra extensions, with upgrade path (Closes: #719208)
   * Address updated lintian tags
   * Update copyright file with things noted by Paul Tagliamonet, thanks!
 .
 mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high
 .
   * Non-maintainer upload
   * Security fixes (Closes: #729629):
     - Kevin Israel (Wikipedia user PleaseStand) identified and reported two
       vectors for injecting Javascript in CSS that bypassed MediaWiki's
       blacklist [CVE-2013-4567, CVE-2013-4568]
     - Internal review while debugging a site issue discovered that MediaWiki
       and the CentralNotice extension were incorrectly setting cache headers
       when a user was autocreated, causing the user's session cookies to be
       cached, and returned to other users [CVE-2013-4572]
   * New Polish debconf translation, thanks to Magdalena Z. Kubot
     (Closes: #731381)
 .
 mediawiki (1:1.19.8+dfsg-2.1) unstable; urgency=low
 .
   * Provide includes/libs in mediawiki-classes (Closes: #703837)
Checksums-Sha1: 
 08f1ca7db1189d6ab3be7cac9300fc20f72c0b70 2188 mediawiki_1.19.9+dfsg-1.dsc
 2ae0335beb9bd7a2c5c6903ce5764ccc444d5c7d 12178272 
mediawiki_1.19.9+dfsg.orig.tar.xz
 805fbc122923def91c8296d10a0f1d1339485caf 54035 
mediawiki_1.19.9+dfsg-1.debian.tar.gz
 3dfb1abd7e4d4e60590e57d828c24759a766475c 17881028 
mediawiki_1.19.9+dfsg-1_all.deb
 93675b799ea197ad7a9edfd6398ae329223a57d3 242346 
mediawiki-classes_1.19.9+dfsg-1_all.deb
Checksums-Sha256: 
 24bdbd99aaf4056710aa9c5b1cb5d06dabce48bc7a0e671b880dcc74b4222f1f 2188 
mediawiki_1.19.9+dfsg-1.dsc
 60e92bab84a60ebbdb37f28a82514aaa8803685115394f98830a9cae783526da 12178272 
mediawiki_1.19.9+dfsg.orig.tar.xz
 764a5a9554e9bd4f52fa741d492d787a4300e45d95f403d00d5731e90bea57fe 54035 
mediawiki_1.19.9+dfsg-1.debian.tar.gz
 5c54a40b736e0d617012ddc0709b62a377481755ff7273660b1ae3ad0b2885b7 17881028 
mediawiki_1.19.9+dfsg-1_all.deb
 27962eb256a3d80fcf1762d82bc090f7b415ba9f3544a90a2bb8f7ae3399d011 242346 
mediawiki-classes_1.19.9+dfsg-1_all.deb
Files: 
 9de67fbf97ec5c13c070a43fcd65e414 2188 web optional mediawiki_1.19.9+dfsg-1.dsc
 eb6a02273d41ba352227383beb4d2847 12178272 web optional 
mediawiki_1.19.9+dfsg.orig.tar.xz
 149cedbb8cea5f2c30fc537fffb6f3ac 54035 web optional 
mediawiki_1.19.9+dfsg-1.debian.tar.gz
 8084134253ade0558f15ffab6bcdc0c3 17881028 web optional 
mediawiki_1.19.9+dfsg-1_all.deb
 1a79e41dbb8dbdfc500de7879cc5b609 242346 web optional 
mediawiki-classes_1.19.9+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)

iQIcBAEBCQAGBQJSwqzgAAoJEHa1NLLpkAfg35QQALKRvhCoO91Z9kfHIsj6mObK
/LhCTM0ztwAOS5nuI53SttZO1ek9+2w3gtOveVoQs7YiWdTtRJ2RTyv9MSaQhsjG
X32aQjDU1AQDJMJ1mTUrmxBl+GNhPVS/85xGyJPxAhuSfLzEy24yaW/dRfL88t4J
7hujXEecUEWp9YsWEUovLg+OVhbqTAb0Ag2qccgPUVdXboxxsfw+JmvafS3dTp9K
8puTOZnfw+5+p+d5ts3napPP1O8ep+NMYblVMihb8vRVUiWsTky5TKZToO39yVud
MN/HSRkaHXX6Wwf4qSOtwyZizagLkrvYDGdCtxVRtJ73K0PgQS2045yejc7uVk+L
S27I9tB3JF2LXOSb8yw9lyOSze3CrARjkKOxRuUrO5dn4w+M3iVqsRcQ4pp6mS91
yG38p0g/DPQ8acIOOGUb7PfWkUhkTq/4gxlsLeWSY2CkmrEsSYV2f1KfDFWW0Eg8
KowVF3sU7xErKGwNNd1kzAXwiXi8An57aCl9rREaMS9IgS2HgyiM/LyW0GkPRhmJ
TIMtfwu/ioUmHltEGVc/m1n1EGPZ6pqt1DLBXOcNq8ltn3434Ei57VeU4CtZRCkP
bwxRq4D8q2Kx6oh+JA2kFDW28LR5OgUdkfG9Ljl6uE/PDOKqVMW6AGu6rVAlLonQ
tfRvT+urmwY1m+iD9uSg
=hNU0
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to