Hi, mediawiki has another security vulnerability, this time CVE-2011-0003.
The debdiff for a stable update is attached, but it has the same po/* noise
as previously. Again, it's harmless re-ordering of the fields in some
files, which I'm inclined to blame on CDBS magic.
Changelog:
mediawiki (1:1.12.0-2lenny7) stable; urgency=high
* Stable upload.
* CVE-2011-0003: Minimise risk of clickjacking by denying
framing on all pages except normal page views and a few
selected special pages
and diffstat:
debian/patches/CVE-2011-0003.patch | 28 ++++++++++++++++++++++++++++
mediawiki-1.12.0/debian/changelog | 9 +++++++++
mediawiki-1.12.0/debian/patches/series | 1 +
mediawiki-1.12.0/debian/po/ar.po | 2 +-
mediawiki-1.12.0/debian/po/ca.po | 2 +-
mediawiki-1.12.0/debian/po/cs.po | 2 +-
mediawiki-1.12.0/debian/po/de.po | 2 +-
mediawiki-1.12.0/debian/po/es.po | 5 +++--
mediawiki-1.12.0/debian/po/eu.po | 2 +-
mediawiki-1.12.0/debian/po/fi.po | 2 +-
mediawiki-1.12.0/debian/po/fr.po | 2 +-
mediawiki-1.12.0/debian/po/gl.po | 2 +-
mediawiki-1.12.0/debian/po/it.po | 2 +-
mediawiki-1.12.0/debian/po/ja.po | 2 +-
mediawiki-1.12.0/debian/po/ml.po | 2 +-
mediawiki-1.12.0/debian/po/nl.po | 2 +-
mediawiki-1.12.0/debian/po/pt.po | 2 +-
mediawiki-1.12.0/debian/po/pt_BR.po | 2 +-
mediawiki-1.12.0/debian/po/ru.po | 6 +++---
mediawiki-1.12.0/debian/po/sk.po | 2 +-
mediawiki-1.12.0/debian/po/sv.po | 2 +-
mediawiki-1.12.0/debian/po/ta.po | 2 +-
mediawiki-1.12.0/debian/po/vi.po | 2 +-
23 files changed, 62 insertions(+), 23 deletions(-)
TIA,
--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u mediawiki-1.12.0/debian/changelog mediawiki-1.12.0/debian/changelog --- mediawiki-1.12.0/debian/changelog +++ mediawiki-1.12.0/debian/changelog @@ -1,3 +1,12 @@ +mediawiki (1:1.12.0-2lenny7) stable; urgency=high + + * Stable upload. + * CVE-2011-0003: Minimise risk of clickjacking by denying + framing on all pages except normal page views and a few + selected special pages + + -- Jonathan Wiltshire <[email protected]> Tue, 04 Jan 2011 19:32:42 +0000 + mediawiki (1:1.12.0-2lenny6) stable; urgency=high * Stable upload. Closes: #591382 diff -u mediawiki-1.12.0/debian/po/gl.po mediawiki-1.12.0/debian/po/gl.po --- mediawiki-1.12.0/debian/po/gl.po +++ mediawiki-1.12.0/debian/po/gl.po @@ -10,10 +10,10 @@ "PO-Revision-Date: 2007-06-12 23:54+0200\n" "Last-Translator: Jacobo Tarrio <[email protected]>\n" "Language-Team: Galician <[email protected]>\n" +"Language: gl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: gl\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/ja.po mediawiki-1.12.0/debian/po/ja.po --- mediawiki-1.12.0/debian/po/ja.po +++ mediawiki-1.12.0/debian/po/ja.po @@ -10,10 +10,10 @@ "PO-Revision-Date: 2007-03-01 22:44+0900\n" "Last-Translator: Noritada Kobayashi <[email protected]>\n" "Language-Team: Japanese <[email protected]>\n" +"Language: ja\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: ja\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/fi.po mediawiki-1.12.0/debian/po/fi.po --- mediawiki-1.12.0/debian/po/fi.po +++ mediawiki-1.12.0/debian/po/fi.po @@ -6,10 +6,10 @@ "PO-Revision-Date: 2007-12-18 22:37+0200\n" "Last-Translator: Esko Arajärvi <[email protected]>\n" "Language-Team: Finnish <[email protected]>\n" +"Language: fi\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: fi\n" "X-Poedit-Language: Finnish\n" "X-Poedit-Country: Finland\n" diff -u mediawiki-1.12.0/debian/po/ta.po mediawiki-1.12.0/debian/po/ta.po --- mediawiki-1.12.0/debian/po/ta.po +++ mediawiki-1.12.0/debian/po/ta.po @@ -11,10 +11,10 @@ "PO-Revision-Date: 2007-06-13 14:19+0530\n" "Last-Translator: Dr.T.Vasudevan <[email protected]>\n" "Language-Team: TAMIL <[email protected]>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: \n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/nl.po mediawiki-1.12.0/debian/po/nl.po --- mediawiki-1.12.0/debian/po/nl.po +++ mediawiki-1.12.0/debian/po/nl.po @@ -11,10 +11,10 @@ "PO-Revision-Date: 2007-06-01 13:32+0100\n" "Last-Translator: Bart Cornelis <[email protected]>\n" "Language-Team: debian-l10n-dutch <[email protected]>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: \n" "X-Poedit-Language: Dutch\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/sv.po mediawiki-1.12.0/debian/po/sv.po --- mediawiki-1.12.0/debian/po/sv.po +++ mediawiki-1.12.0/debian/po/sv.po @@ -18,10 +18,10 @@ "PO-Revision-Date: 2007-06-01 09:59+0100\n" "Last-Translator: Daniel Nylander <[email protected]>\n" "Language-Team: Swedish <[email protected]>\n" +"Language: sv\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" -"Language: sv\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/cs.po mediawiki-1.12.0/debian/po/cs.po --- mediawiki-1.12.0/debian/po/cs.po +++ mediawiki-1.12.0/debian/po/cs.po @@ -19,10 +19,10 @@ "PO-Revision-Date: 2007-06-13 00:18+0200\n" "Last-Translator: Vitezslav Kotrla <[email protected]>\n" "Language-Team: Czech <[email protected]>\n" +"Language: cs\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: cs\n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/pt.po mediawiki-1.12.0/debian/po/pt.po --- mediawiki-1.12.0/debian/po/pt.po +++ mediawiki-1.12.0/debian/po/pt.po @@ -10,10 +10,10 @@ "PO-Revision-Date: 2007-04-30 23:40+0100\n" "Last-Translator: Luísa Lourenço <[email protected]>\n" "Language-Team: Native Portuguese <[email protected]>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: \n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/de.po mediawiki-1.12.0/debian/po/de.po --- mediawiki-1.12.0/debian/po/de.po +++ mediawiki-1.12.0/debian/po/de.po @@ -11,10 +11,10 @@ "PO-Revision-Date: 2007-06-12 21:00+0200\n" "Last-Translator: Helge Kreutzmann <[email protected]>\n" "Language-Team: German <[email protected]>\n" +"Language: de\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-15\n" "Content-Transfer-Encoding: 8bit\n" -"Language: de\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/es.po mediawiki-1.12.0/debian/po/es.po --- mediawiki-1.12.0/debian/po/es.po +++ mediawiki-1.12.0/debian/po/es.po @@ -40,10 +40,10 @@ "PO-Revision-Date: 2007-06-13 22:40+0200\n" "Last-Translator: Javier Fernández-Sanguino <[email protected]>\n" "Language-Team: Debian Spanish <[email protected]>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: \n" "com>\n" #. Type: multiselect @@ -170 +170,2 @@ -#~ "por si acaso esto fallara, que también está disponible en «/etc/mediawiki»." +#~ "por si acaso esto fallara, que también está disponible en «/etc/" +#~ "mediawiki»." diff -u mediawiki-1.12.0/debian/po/ml.po mediawiki-1.12.0/debian/po/ml.po --- mediawiki-1.12.0/debian/po/ml.po +++ mediawiki-1.12.0/debian/po/ml.po @@ -11,10 +11,10 @@ "Last-Translator: Sreerenj B<[email protected]>\n" "Language-Team: Swathanthra|സ്വതന്ത്ര Malayalam|മലയാളം Computing|കമ്പ്യൂട്ടിങ്ങ് <smc-" "[email protected]>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: \n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/pt_BR.po mediawiki-1.12.0/debian/po/pt_BR.po --- mediawiki-1.12.0/debian/po/pt_BR.po +++ mediawiki-1.12.0/debian/po/pt_BR.po @@ -11,10 +11,10 @@ "PO-Revision-Date: 2007-04-09 00:44-0300\n" "Last-Translator: Felipe Augusto van de Wiel (faw) <[email protected]>\n" "Language-Team: l10n portuguese <[email protected]>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: \n" "pt_BR utf-8\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/sk.po mediawiki-1.12.0/debian/po/sk.po --- mediawiki-1.12.0/debian/po/sk.po +++ mediawiki-1.12.0/debian/po/sk.po @@ -6,10 +6,10 @@ "PO-Revision-Date: 2007-08-13 02:41+0100\n" "Last-Translator: Ivan Masár <[email protected]>\n" "Language-Team: Slovak <[email protected]>\n" +"Language: sk\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: sk\n" "X-Poedit-Language: Slovak\n" "X-Poedit-Country: SLOVAKIA\n" diff -u mediawiki-1.12.0/debian/po/ca.po mediawiki-1.12.0/debian/po/ca.po --- mediawiki-1.12.0/debian/po/ca.po +++ mediawiki-1.12.0/debian/po/ca.po @@ -14,10 +14,10 @@ "PO-Revision-Date: 2007-04-21 21:36+0200\n" "Last-Translator: Álvaro Martínez Majado <[email protected]>\n" "Language-Team: Catalan <[email protected]>\n" +"Language: ca\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: ca\n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/vi.po mediawiki-1.12.0/debian/po/vi.po --- mediawiki-1.12.0/debian/po/vi.po +++ mediawiki-1.12.0/debian/po/vi.po @@ -10,10 +10,10 @@ "PO-Revision-Date: 2007-06-14 16:36+0930\n" "Last-Translator: Clytie Siddall <[email protected]>\n" "Language-Team: Vietnamese <[email protected]>\n" +"Language: vi\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: vi\n" "Plural-Forms: nplurals=1; plural=0;\n" "X-Generator: LocFactoryEditor 1.6.3b1\n" diff -u mediawiki-1.12.0/debian/po/fr.po mediawiki-1.12.0/debian/po/fr.po --- mediawiki-1.12.0/debian/po/fr.po +++ mediawiki-1.12.0/debian/po/fr.po @@ -10,10 +10,10 @@ "PO-Revision-Date: 2007-06-02 21:46+0200\n" "Last-Translator: laurent gabriel <[email protected]>\n" "Language-Team: <[email protected]>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: \n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/ru.po mediawiki-1.12.0/debian/po/ru.po --- mediawiki-1.12.0/debian/po/ru.po +++ mediawiki-1.12.0/debian/po/ru.po @@ -11,13 +11,13 @@ "PO-Revision-Date: 2007-06-17 17:56+0400\n" "Last-Translator: Yuri Kozlov <[email protected]>\n" "Language-Team: Russian <[email protected]>\n" +"Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: ru\n" "X-Generator: KBabel 1.11.4\n" -"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" -"10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/eu.po mediawiki-1.12.0/debian/po/eu.po --- mediawiki-1.12.0/debian/po/eu.po +++ mediawiki-1.12.0/debian/po/eu.po @@ -11,10 +11,10 @@ "PO-Revision-Date: 2007-05-31 22:56+0200\n" "Last-Translator: Piarres Beobide <[email protected]>\n" "Language-Team: Euskara <[email protected]>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: \n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/it.po mediawiki-1.12.0/debian/po/it.po --- mediawiki-1.12.0/debian/po/it.po +++ mediawiki-1.12.0/debian/po/it.po @@ -11,10 +11,10 @@ "PO-Revision-Date: 2007-06-23 11:52+0200\n" "Last-Translator: Luca Monducci <[email protected]>\n" "Language-Team: Italian <[email protected]>\n" +"Language: it\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: it\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/ar.po mediawiki-1.12.0/debian/po/ar.po --- mediawiki-1.12.0/debian/po/ar.po +++ mediawiki-1.12.0/debian/po/ar.po @@ -21,10 +21,10 @@ "PO-Revision-Date: 2007-06-13 12:40+0300\n" "Last-Translator: Ossama M. Khayat <[email protected]>\n" "Language-Team: Arabic <[email protected]>\n" +"Language: ar\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: ar\n" "X-Generator: KBabel 1.11.4\n" "Plural-Forms: nplurals=6; plural=n==1 ? 0 : n==0 ? 1 : n==2 ? 2: n%100>=3 && " "n%100<=10 ? 3 : n%100>=11 && n%100<=99 ? 4 : 5\n" diff -u mediawiki-1.12.0/debian/patches/series mediawiki-1.12.0/debian/patches/series --- mediawiki-1.12.0/debian/patches/series +++ mediawiki-1.12.0/debian/patches/series @@ -13,0 +14 @@ +CVE-2011-0003.patch only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-0003.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-0003.patch @@ -0,0 +1,28 @@ +Description: prevent ClickJacking by breaking out of iframes +Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=26561 +Author: Tim Starling +Last-Update: 2011-01-04 + +--- mediawiki-1.12.0.orig/config/index.php ++++ mediawiki-1.12.0/config/index.php +@@ -21,6 +21,7 @@ + + error_reporting( E_ALL ); + header( "Content-type: text/html; charset=utf-8" ); ++header( 'X-Frame-Options: DENY' ); + @ini_set( "display_errors", true ); + + # In case of errors, let output be clean. +--- mediawiki-1.12.0.orig/includes/OutputPage.php ++++ mediawiki-1.12.0/includes/OutputPage.php +@@ -717,6 +717,9 @@ + $wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" ); + $wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode ); + ++ # To prevent clickjacking, do not allow this page to be inside a frame. ++ $wgRequest->response()->header( 'X-Frame-Options: DENY' ); ++ + if ($this->mArticleBodyOnly) { + $this->out($this->mBodytext); + } else {
signature.asc
Description: Digital signature
