Package: release.debian.org Severity: normalX-Debbugs-CC: Dominik George <n...@naturalnet.de>, pkg-mediawiki-de...@lists.alioth.debian.org
User: release.debian....@packages.debian.org Usertags: pu
Hi,This is the companion upload for 1:1.19.3-1 recently in Wheezy, to fix security bugs. Debdiff attached.
The security team have stated that they do not want to do a DSA. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 <directhex> i have six years of solaris sysadmin experience, from 8->10. i am well qualified to say it is made from bonghits layered on top of bonghits
diff -Nru mediawiki-1.15.5/debian/changelog mediawiki-1.15.5/debian/changelog --- mediawiki-1.15.5/debian/changelog 2012-01-21 21:08:01.000000000 +0000 +++ mediawiki-1.15.5/debian/changelog 2012-12-16 17:54:27.000000000 +0000 @@ -1,3 +1,12 @@ +mediawiki (1:1.15.5-2squeeze5) stable; urgency=low + + [ Dominik George ] + * Security fixes from upstream (Closes: #694998): + - CVE-2012-5391 - Prevent session fixation in Special:UserLogin + - Prevent linker regex from exceeding backtrack limit + + -- Jonathan Wiltshire <j...@debian.org> Sun, 16 Dec 2012 17:53:38 +0000 + mediawiki (1:1.15.5-2squeeze4) stable; urgency=low * Disable CVE-2011-4360.patch, it causes ugly error messages in certain diff -Nru mediawiki-1.15.5/debian/patches/CVE-2012-5391.patch mediawiki-1.15.5/debian/patches/CVE-2012-5391.patch --- mediawiki-1.15.5/debian/patches/CVE-2012-5391.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2012-5391.patch 2012-12-16 15:34:48.000000000 +0000 @@ -0,0 +1,33 @@ +Description: Prevent session fixation in Special:UserLogin (CVE-2012-5391) + Sessions id's in the default MediaWiki authentication are not refreshed on + login or logout. An attacker can use this to impersonate a user. +Author: Chris Steipp <cste...@wikimedia.org> +Origin: upstream, https://gerrit.wikimedia.org/r/#/c/36079/ +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=40995 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998 +Reviewed-by: Dominik George <n...@naturalnet.de> +--- a/includes/specials/SpecialUserlogin.php ++++ b/includes/specials/SpecialUserlogin.php +@@ -591,6 +591,8 @@ + global $wgLang, $wgRequest; + $code = $wgRequest->getVal( 'uselang', $wgUser->getOption( 'language' ) ); + $wgLang = Language::factory( $code ); ++ // Reset SessionID on Successful login (bug 40995) ++ $this->renewSessionId(); + return $this->successfulLogin(); + } else { + return $this->cookieRedirectCheck( 'login' ); +@@ -1062,6 +1064,13 @@ + $wgRequest->setSessionData( 'wsCreateaccountToken', null ); + } + ++ /** ++ * Renew the user's session id ++ */ ++ private function renewSessionId() { ++ session_regenerate_id( false ); ++ } ++ + /** + * @private + */ diff -Nru mediawiki-1.15.5/debian/patches/pcre-linker-backtrack.patch mediawiki-1.15.5/debian/patches/pcre-linker-backtrack.patch --- mediawiki-1.15.5/debian/patches/pcre-linker-backtrack.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/pcre-linker-backtrack.patch 2012-12-16 16:40:44.000000000 +0000 @@ -0,0 +1,48 @@ +Description: Prevent linker regex from exceeding PCRE backtrack limit +Author: Chris Steipp <cste...@wikimedia.org> +Origin: upstream +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=41400 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998 +Reviewed-by: Dominik George <n...@naturalnet.de> +--- a/includes/Linker.php ++++ b/includes/Linker.php +@@ -1297,7 +1297,18 @@ + */ + public function formatLinksInComment( $comment ) { + return preg_replace_callback( +- '/\[\[:?(.*?)(\|(.*?))*\]\]([^[]*)/', ++ '/ ++ \[\[ ++ :? # ignore optional leading colon ++ ([^\]|]+) # 1. link target; page names cannot include ] or | ++ (?:\| ++ # 2. a pipe-separated substring; only the last is captured ++ # Stop matching at | and ]] without relying on backtracking. ++ ((?:]?[^\]|])*+) ++ )* ++ \]\] ++ ([^[]*) # 3. link trail (the text up until the next link) ++ /x', + array( $this, 'formatLinksInCommentCallback' ), + $comment ); + } +@@ -1316,8 +1327,8 @@ + } + + # Handle link renaming [[foo|text]] will show link as "text" +- if( "" != $match[3] ) { +- $text = $match[3]; ++ if( "" != $match[2] ) { ++ $text = $match[2]; + } else { + $text = $match[1]; + } +@@ -1328,7 +1339,7 @@ + $thelink = $this->makeMediaLink( $submatch[1], "", $text ); + } else { + # Other kind of link +- if( preg_match( $wgContLang->linkTrail(), $match[4], $submatch ) ) { ++ if( preg_match( $wgContLang->linkTrail(), $match[3], $submatch ) ) { + $trail = $submatch[1]; + } else { + $trail = ""; diff -Nru mediawiki-1.15.5/debian/patches/series mediawiki-1.15.5/debian/patches/series --- mediawiki-1.15.5/debian/patches/series 2012-01-21 20:57:43.000000000 +0000 +++ mediawiki-1.15.5/debian/patches/series 2012-12-16 16:41:00.000000000 +0000 @@ -13,3 +13,5 @@ CVE-2011-1587.patch CVE-2011-4361.patch CVE-2012-0046.patch +CVE-2012-5391.patch +pcre-linker-backtrack.patch
signature.asc
Description: PGP signature
