-
mediawiki (1:1.39.7-1) unstable; urgency=medium
* New upstream version 1.39.7. (Closes: #1064797)
* Drop obsolete Lintian override for
package-supports-alternative-init-but-no-init.d-script.
* Fix ordering in debian/changelog to fix the
globbing-patterns-out-of-order lintian warning.
-- Taavi Väänänen <email address hidden> Fri, 29 Mar 2024 13:30:00 +0200
-
mediawiki (1:1.39.6-1) unstable; urgency=medium
* New upstream version 1.39.6, fixing CVE-2023-51704.
-- Taavi Väänänen <email address hidden> Wed, 27 Dec 2023 22:39:20 +0200
-
mediawiki (1:1.39.5-1) unstable; urgency=medium
* New upstream version 1.39.5, fixing CVE-2023-3550,
CVE-2023-45359, CVE-2023-45360, CVE-2023-45361, CVE-2023-45362,
CVE-2023-45363, CVE-2023-45364.
-- Kunal Mehta <email address hidden> Mon, 09 Oct 2023 15:00:33 -0400
-
mediawiki (1:1.39.4-2) unstable; urgency=medium
* Set Breaks/Replaces for mediawiki-extensions-math (Closes: #1039075)
-- Kunal Mehta <email address hidden> Tue, 04 Jul 2023 02:42:01 -0400
-
mediawiki (1:1.39.4-1) unstable; urgency=medium
[ Kunal Mehta ]
* Update apache2 config for PHP 8
* Set "X-Content-Type-Options: nosniff" header for image directories
* Remove pre-Apache 2.3 support
[ Taavi Väänänen ]
* New upstream version 1.39.4, fixing CVE-2023-29141, CVE-2023-36674
and CVE-2023-36675.
* The bundled guzzlehttp/guzzle library was updated to 2.4.5 to fix
CVE-2023-29197.
-- Taavi Väänänen <email address hidden> Fri, 30 Jun 2023 19:44:00 +0300
-
mediawiki (1:1.39.2-1) unstable; urgency=medium
* New upstream version 1.39.2
* d/control: Raise minimum PHP version to 7.4
-- Taavi Väänänen <email address hidden> Thu, 23 Feb 2023 15:13:02 +0200
-
mediawiki (1:1.39.1-2) unstable; urgency=medium
* d/copyright: Remove stale entry for vendor/wikimedia/dodo/*
* d/rules: Raise Standards-Version to 4.6.2, no changes needed
* d/control: Add a Breaks: for old GreyStuff versions
-- Taavi Väänänen <email address hidden> Tue, 27 Dec 2022 12:34:25 +0200
-
mediawiki (1:1.39.1-1) unstable; urgency=medium
* New upstream version 1.39.1
-- Taavi Väänänen <email address hidden> Fri, 23 Dec 2022 12:09:19 +0200
-
mediawiki (1:1.39.0-2) unstable; urgency=medium
* Cherry-pick upstream patch to fix 32-bit issues in wikimedia/idle-dom
-- Kunal Mehta <email address hidden> Sun, 11 Dec 2022 20:10:05 -0500
-
mediawiki (1:1.39.0-1) unstable; urgency=medium
* New upstream version 1.39.0
-- Taavi Väänänen <email address hidden> Sun, 04 Dec 2022 22:20:45 +0200
-
mediawiki (1:1.35.8-1.1) unstable; urgency=medium
* Non-maintainer upload.
* No source change upload to rebuild with debhelper 13.10.
-- Michael Biebl <email address hidden> Sat, 15 Oct 2022 12:21:41 +0200
-
mediawiki (1:1.35.8-1) unstable; urgency=medium
* New upstream version 1.35.8, fixing CVE-2022-41765 and
CVE-2022-41767.
-- Kunal Mehta <email address hidden> Sun, 02 Oct 2022 21:40:07 -0400
-
mediawiki (1:1.35.7-1) unstable; urgency=medium
[ Taavi Väänänen ]
* New upstream release 1.35.7, fixing CVE-2022-27776 and
CVE-2022-29248 in the embedded guzzlehttp/guzzle library.
[ Kunal Mehta ]
* Officially switch to team maintenance, add Taavi to uploaders
-- Kunal Mehta <email address hidden> Sun, 03 Jul 2022 11:14:52 -0700
-
mediawiki (1:1.35.6-1) unstable; urgency=medium
* Team upload.
* New upstream version 1.35.6, fixing CVE-2022-28201, CVE-2022-28202,
CVE-2022-28203. This version is not affected by CVE-2022-28204.
* Update php extension recommends from composer.json
-- Taavi Väänänen <email address hidden> Fri, 01 Apr 2022 16:49:04 +0300
-
mediawiki (1:1.35.5-2) unstable; urgency=medium
[ Lucas Werkmeister ]
* Remove PHP 5 support from mediawiki.conf
[ Kunal Mehta ]
* Make it easier to debug autopkgtest failures
* Increase PHP's max_execution_time for autopkgtests to 300s, thanks
to Paul Gevers and Bryce Harrington for input and helping test.
-- Kunal Mehta <email address hidden> Thu, 27 Jan 2022 00:46:22 -0800
-
mediawiki (1:1.35.5-1) unstable; urgency=high
[ Kunal Mehta ]
* New upstream version 1.35.5, fixing CVE-2021-44854, CVE-2021-44855,
CVE-2021-44856, CVE-2021-44857, CVE-2021-44858, CVE-2021-45038.
[ Debian Janitor ]
* Remove constraints unnecessary since buster
-- Kunal Mehta <email address hidden> Thu, 30 Sep 2021 20:42:36 -0700
-
mediawiki (1:1.35.4-1) unstable; urgency=medium
* New upstream version 1.35.4, fixing CVE-2021-41798, CVE-2021-41799,
CVE-2021-41800, CVE-2021-41801.
-- Kunal Mehta <email address hidden> Thu, 30 Sep 2021 10:49:49 -0700
-
mediawiki (1:1.35.3-1) unstable; urgency=medium
[ Kunal Mehta ]
* New upstream version 1.35.3, fixing CVE-2021-35197.
[ Tobias Wiese ]
* d/tests: update test restrictions (Closes: #987976)
* d/tests: Add systemd as test dependency
-- Kunal Mehta <email address hidden> Fri, 20 Aug 2021 23:56:23 -0700
-
mediawiki (1:1.35.2-1) unstable; urgency=high
* New upstream version 1.35.2, fixing CVE-2021-30152, CVE-2021-30153,
CVE-2021-30154, CVE-2021-30155, CVE-2021-30157, CVE-2021-30158,
CVE-2021-30159, CVE-2021-30458.
* Bundled pygments was updated to fix CVE-2021-20270, CVE-2021-27291.
-- Kunal Mehta <email address hidden> Thu, 08 Apr 2021 13:41:18 -0700
-
mediawiki (1:1.35.1-2) unstable; urgency=medium
* Make it easier to install for use with SQLite (Closes: #979686)
-- Kunal Mehta <email address hidden> Wed, 03 Feb 2021 15:01:01 -0800
-
mediawiki (1:1.35.1-1) unstable; urgency=medium
* New upstream version 1.35.1, fixing CVE-2020-35474, CVE-2020-35475,
CVE-2020-35477, CVE-2020-35478, CVE-2020-35479, CVE-2020-35480.
* Respect $wgRedirectOnLogin configuration setting (Closes: #971986).
* Flatten footer links without triggering a PHP warning (Closes: #971985).
* Drop patches merged upstream
-- Kunal Mehta <email address hidden> Thu, 17 Dec 2020 17:53:57 -0800
-
mediawiki (1:1.35.0-2) unstable; urgency=medium
* Refactor autopkgtests to make easier to reuse
* Fixup lintian overrides
* d/watch: Switch to version=4
* Add patches for PHP 8.0 and newer Postgres compatibility
* Standards-Version: 4.5.1, no changes needed
-- Kunal Mehta <email address hidden> Mon, 14 Dec 2020 10:56:11 -0800
-
mediawiki (1:1.35.0-1) unstable; urgency=medium
* Upload to unstable.
* New upstream version 1.35.0, fixing CVE-2020-25812,
CVE-2020-25813, CVE-2020-25814, CVE-2020-25815,
CVE-2020-25827, CVE-2020-25828.
* Additionally, mitigations for firejail's CVE-2020-17367,
CVE-2020-17368 are included as well.
* Require PHP 7.3+ (thanks to Platonides for the suggestion).
-- Kunal Mehta <email address hidden> Sun, 27 Sep 2020 04:16:53 -0700
-
mediawiki (1:1.31.8-1) unstable; urgency=medium
* New upstream version 1.31.8, fixing CVE-2020-15005.
* Use debhelper 12 and dh_installsystemd.
-- Kunal Mehta <email address hidden> Wed, 24 Jun 2020 14:25:22 -0700
-
mediawiki (1:1.31.7-1) unstable; urgency=medium
* New upstream version 1.31.7, fixing CVE-2020-10960.
CVE-2020-10960 does not affect this version of MediaWiki.
* A hardening fix was included for the OATHAuth extension to
limit access of user-controlled JavaScript.
* Standards-Version: 4.5.0, no changes needed
-- Kunal Mehta <email address hidden> Thu, 26 Mar 2020 15:30:16 -0700
-
mediawiki (1:1.31.6-1) unstable; urgency=medium
* New upstream version 1.31.6, fixing CVE-2019-19709.
* Drop Postgres patches merged upstream
* Suppress a bunch of lintian warnings that are ignored on purpose
* Sync d/upstream/signing-key.asc with upstream
* autopkgtests: set allow-stderr for all tests that use sudo. Thanks
to Mathieu Trudel-Lapierre for reporting and fixing in Ubuntu.
(Closes: #946665)
-- Kunal Mehta <email address hidden> Thu, 19 Dec 2019 13:20:56 -0800
-
mediawiki (1:1.31.5-3) unstable; urgency=medium
* In autopkgtests, skip testing against mysql-server if it
isn't available, such as in Debian testing
* Move packaging git repository to Salsa and update relevant
documentation
* Set up and configure Salsa CI
* Sync d/upstream/signing-key.asc with upstream
-- Kunal Mehta <email address hidden> Mon, 25 Nov 2019 00:59:49 -0800
-
mediawiki (1:1.31.5-2) unstable; urgency=medium
* Add extra debugging information to autopkgtests
* Backport patches from upstream for Postgresql 12 compatibility
(Closes: #944650)
-- Kunal Mehta <email address hidden> Fri, 15 Nov 2019 15:28:16 -0800
-
mediawiki (1:1.31.5-1) unstable; urgency=medium
* New upstream version 1.31.5
* Incorporate MySQL autopkgtest improvements from Lars Tangvald
and Robie Basak from Ubuntu:
* Use a different method besides MySQL 8.0's default authentication
because PHP doesn't currently support it.
* Explicitly test MySQL and MariaDB regardless of which one is the
default.
* Standards-Version: 4.4.1, no changes needed
-- Kunal Mehta <email address hidden> Sat, 26 Oct 2019 18:01:59 -0700
-
mediawiki (1:1.31.4-1) unstable; urgency=medium
* New upstream version 1.31.4 (security release), fixing
CVE-2019-16738.
-- Kunal Mehta <email address hidden> Fri, 11 Oct 2019 14:47:07 -0700
-
mediawiki (1:1.31.2-1) unstable; urgency=medium
[ Kunal Mehta ]
* New upstream version 1.31.2 (security release), fixing
CVE-2019-12466, CVE-2019-12467, CVE-2019-12468, CVE-2019-12469,
CVE-2019-12470, CVE-2019-12471, CVE-2019-12472, CVE-2019-12473,
CVE-2019-12474. The bundled jQuery was also updated, fixing
CVE-2019-11358.
* Fix regex that was breaking file uploads in PHP 7.3
(Closes: #928716).
* Sync upstream/signing-key.asc with mediawiki.org.
* Drop patch merged upstream.
* Revert "Temporarily add allow-stderr restriction to autopkgtests",
as it was fixed upstream.
[ Mark A. Hershberger ]
* Fix indentation in README.Debian
-- Kunal Mehta <email address hidden> Wed, 05 Jun 2019 22:40:28 -0400
-
mediawiki (1:1.31.1-4) unstable; urgency=medium
* Update my email address
* Temporarily add allow-stderr restriction to autopkgtests (Closes: #911829)
-- Kunal Mehta <email address hidden> Thu, 25 Oct 2018 23:19:40 -0700
-
mediawiki (1:1.31.1-3) unstable; urgency=medium
* Document removal of CologneBlue and Modern in NEWS (Closes: #909589)
* Document filesystem structure in README.Debian
-- Kunal Mehta <email address hidden> Wed, 26 Sep 2018 20:41:24 -0700
-
mediawiki (1:1.31.1-2) unstable; urgency=medium
* Fix SQLite autopkgtests.
* Remove bogus version dependency upon php-common.
* Fix some package-contains-documentation-outside-usr-share-doc issues.
-- Kunal Mehta <email address hidden> Sat, 22 Sep 2018 16:16:02 -0700
-
mediawiki (1:1.31.1-1) unstable; urgency=medium
* New upstream version 1.31.1, including fixes for CVE-2018-0503,
CVE-2018-0505, CVE-2018-0504.
* Use PlatformSettings.php instead of LocalSettingsGenerator, see NEWS
for details on how to migrate.
* Wrap $wgFooterIcons custom config in an $wgExtensionFunctions, so the
resources path is read after config. (Closes: #863332)
* SyntaxHighlight extension now uses Python 3.
-- Kunal Mehta <email address hidden> Fri, 21 Sep 2018 23:13:24 -0700
-
mediawiki (1:1.30.0-1) unstable; urgency=medium
* New upstream version 1.30.0
* Update Vcs-Browser to use Gerrit/Gitiles as repository viewer
* Update d/watch for 1.30
* Update d/copyright for 1.30
* Rebase patches, dropping php-jwt-fix-shebang.diff
* Don't try to install any *.phtml
* Drop Suggests on hhvm
* Suppress and fix some lintian issues
* Refer to newly available `/usr/share/common-licenses/CC0-1.0`
* Standards-Version: 4.1.4
* Update mediawiki.NEWS for 1.30 release
* Install composer.json to avoid update.php warning
-- Kunal Mehta <email address hidden> Thu, 12 Apr 2018 21:26:19 -0700
-
mediawiki (1:1.27.4-3) unstable; urgency=medium
* Add basic tests via autopkgtest
* Document mediawiki-jobrunner systemd unit in README.Debian
-- Kunal Mehta <email address hidden> Sun, 03 Dec 2017 00:20:33 -0800
-
mediawiki (1:1.27.4-2) unstable; urgency=medium
* Bump Standards-Version to 4.1.1
* Set Rules-Requires-Root: no
* Remove unused lintian overrides
* Upgrade php-apcu to a Recommends
* Use debhelper compat 10
* Add a systemd unit to run runJobs.php as a service
* Get rid of unnecessary dh_installdeb override
* Remove dead code to mess with $wgVersion
* Synchronise upstream/signing-key.asc
* Remove broken ConfirmEdit/Asirra.php & Vector/Vector.php symlinks
(Closes: #857773)
* Document descriptions and forwarded status for all patches
* Remove unused GPL-3.0 paragraph from debian/copyright
* Override composer-package-without-pkg-php-tools-builddep lintian warning
-- Kunal Mehta <email address hidden> Thu, 23 Nov 2017 01:22:51 -0800
-
mediawiki (1:1.27.4-1) unstable; urgency=medium
* Imported Upstream version 1.27.4 (security release), fixing
CVE-2017-8809, CVE-2017-8810, CVE-2017-8808, CVE-2017-8811,
CVE-2017-8812, CVE-2017-8814, CVE-2017-8815.
* Users who used the default configuration should not be affected
by CVE-2017-9841, but an extra .htaccess file will restrict
web access to the vendor/ directory.
-- Kunal Mehta <email address hidden> Tue, 14 Nov 2017 15:52:47 -0800
-
mediawiki (1:1.27.3-1) unstable; urgency=medium
* Imported Upstream version 1.27.3 (security release), that
actually contains the fix for CVE-2017-0372 (Closes: #861585)
-- Kunal Mehta <email address hidden> Mon, 01 May 2017 13:20:11 -0700
-
mediawiki (1:1.27.2-1) unstable; urgency=medium
* Improve NEWS file (Closes: #852862, #854352)
* Imported Upstream version 1.27.2 (security release), fixing
CVE-2017-0363, CVE-2017-0364, CVE-2017-0365, CVE-2017-0361,
CVE-2017-0362, CVE-2017-0368, CVE-2017-0366, CVE-2017-0370,
CVE-2017-0369, CVE-2017-0367, CVE-2017-0372
-- Kunal Mehta <email address hidden> Thu, 06 Apr 2017 14:04:24 -0700
-
mediawiki (1:1.27.1-3) unstable; urgency=medium
* Ensure mediawiki depends upon the same version of mediawiki-classes
* Add powered by Debian icon in footer
* Add NEWS for major version upgrade (Closes: #838965)
* Add README for mediawiki-classes
* Add RELEASE-NOTES-* as documentation for mediawiki
* Recommend default-mysql-server | virtual-mysql-server instead of
just mysql-server (Closes: #843994, #848441)
* Use bundled jQuery (version 1) instead of Debian's jQuery, which is
now the incompatible version 3
* Add Provides for extensions now included in this one (Closes: #845281)
-- Kunal Mehta <email address hidden> Tue, 13 Sep 2016 04:17:42 -0700
-
mediawiki (1:1.27.1-2) unstable; urgency=high
* Add missing php-xml dependency (Closes: #835912)
-- Kunal Mehta <email address hidden> Mon, 29 Aug 2016 20:44:17 -0700
-
mediawiki (1:1.27.1-1) unstable; urgency=medium
* Add gbp.conf for git-buildpackage
* Improve Breaks/Replaces for mediawiki-extensions-* packages
(Closes: #831227)
* Update apache config for mod_php7
* Don't add custom PHP session configuration (Closes: #831874)
* Imported Upstream version 1.27.1 (security release), fixing
CVE-2016-6335, CVE-2016-6334, CVE-2016-6333, CVE-2016-6333,
CVE-2016-6336, CVE-2016-6332, CVE-2016-6332, CVE-2016-6331,
CVE-2016-6337
-- Kunal Mehta <email address hidden> Mon, 22 Aug 2016 20:08:40 -0700
-
mediawiki (1:1.27.0-1) unstable; urgency=medium
* New upstream release
* Update dependencies to be PHP version agnostic
* Switch to new 1.27 MediaWiki Installer overrides system, drop old patches
* Local patch to remove newline before shebang in php-jwt/run-tests.sh
* Local patch to fix pear/mail_mime/scripts/phail.php shebang
* Remove permission fixes that were addressed upstream, add new ones
* Properly override source-is-missing lintian warning
* Drop AdminSettings.php support
* Add php-curl, php-intl, and php-wikidiff2 as Recommends
* Add python as recommended for SyntaxHighlighting (via pygments)
* Remove unnecessary Build-Depends packages
* Update watch file for 1.27
* Standards version 3.9.8
* Include serialized/ folder in install, MediaWiki now needs it at runtime
* Rewrite and simplify README
-- Kunal Mehta <email address hidden> Thu, 30 Jun 2016 22:48:23 +0000
-
mediawiki (1:1.25.5-1) unstable; urgency=medium
* Upgraded to new upstream release
* Remove unneeded patches
* Remove redrawn CC images; images provided by upstream are free
* Fixed lintian warnings
-- Kunal Mehta <email address hidden> Sun, 09 Aug 2015 23:49:36 +0000
-
mediawiki (1:1.19.20+dfsg-2.3) unstable; urgency=high
* Non-maintainer upload.
* Add patch fixing several security issues:
- (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that
contain XML entities, to prevent various DoS attacks.
- (bug T88310) SECURITY: Always expand xml entities when checking
SVG's.
- (bug T73394) SECURITY: Escape > in Html::expandAttributes to
prevent XSS.
- (bug T85855) SECURITY: Don't execute another user's CSS or JS
on preview.
- (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues
fixed in SVG filtering to prevent XSS and protect viewer's
privacy.
-- Thijs Kinkhorst <email address hidden> Mon, 06 Apr 2015 16:53:54 +0000
-
mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium
* Non-maintainer upload.
* Add patch fixing T76686: thumb.php outputs wikitext message as raw
HTML, which could lead to xss. Permission to edit MediaWiki namespace
is required to exploit this.
-- Sebastien Delafond <email address hidden> Sun, 21 Dec 2014 13:11:10 +0100
-
mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
* Non-maintainer upload.
* CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
poses a potentially severe security problem for API clients written in
PHP, in that format=php is affected (Closes: #772764).
-- Sebastien Delafond <email address hidden> Sun, 14 Dec 2014 18:23:47 +0100
-
mediawiki (1:1.19.20+dfsg-2) unstable; urgency=low
* Team upload.
* Remove myself from Uploaders.
-- Thorsten Glaser <email address hidden> Tue, 07 Oct 2014 18:13:52 +0000
-
mediawiki (1:1.19.20+dfsg-1) unstable; urgency=medium
* Make debian/rules get-orig-source-tg call uscan automatically
* New upstream security release:
- (bug 70672) SECURITY: OutputPage: Remove separation of css
and js module allowance.
-- Thorsten Glaser <email address hidden> Thu, 02 Oct 2014 10:50:16 +0200
-
mediawiki (1:1.19.19+dfsg-1) unstable; urgency=medium
[ Mert Dirik ]
* Update turkish Debconf translation (Closes: #759878)
[ Thorsten Glaser ]
* Remove Romain Beauxis’ bouncing eMail address
* Acknowledge NMU (1:1.19.18+dfsg-0.1) – thanks!
* New upstream security and maintenance release:
- (bug 69008) SECURITY: Enhance CSS filtering in SVG files.
Filter <style> elements; normalize style elements and
attributes before filtering; add checks for attributes that
contain css; add unit tests for html5sec and reported bugs.
* Bump Policy (no change required)
* Update lintian overrides
-- Thorsten Glaser <email address hidden> Thu, 25 Sep 2014 16:55:58 +0200
-
mediawiki (1:1.19.18+dfsg-0.1) unstable; urgency=high
* Non-maintainer upload with maintainers approval.
* Imported Upstream version 1.19.18+dfsg
(Closes: #758510)
- CVE-2014-5241 (bug 68187) SECURITY: Prepend jsonp callback with comment.
- CVE-2014-5243 (bug 65778) SECURITY: Copy prevent-clickjacking between
OutputPage and ParserOutput.
-- Salvatore Bonaccorso <email address hidden> Sun, 24 Aug 2014 06:47:35 +0200
-
mediawiki (1:1.19.17+dfsg-1) unstable; urgency=medium
* New upstream security and maintenance release:
- (bug 65839) SECURITY: Prevent external resources in SVG files.
- (bug 66428) MimeMagic: Don't seek before BOF. This has weird
side effects like only extracting the tail of the file partially
or not at all.
* Update lintian overrides
-- Thorsten Glaser <email address hidden> Thu, 26 Jun 2014 09:57:03 +0200
-
mediawiki (1:1.19.16+dfsg-1) unstable; urgency=medium
* New upstream security and maintenance release:
- CVE-2014-3966 (bug 65501) SECURITY: Don't parse usernames as
wikitext on Special:PasswordReset.
* Update debian/upstream/signing-key.asc
-- Thorsten Glaser <email address hidden> Wed, 11 Jun 2014 16:35:39 +0200
-
mediawiki (1:1.19.15+dfsg-2) unstable; urgency=high
* Depend on recent enough php5-common version to be able to use
php5{en,dis}mod in maintainer scripts (Closes: #743893)
* Urgency high because this rides on the previous security fix
-- Thorsten Glaser <email address hidden> Tue, 08 Apr 2014 09:46:46 +0200
-
mediawiki (1:1.19.15+dfsg-1) unstable; urgency=medium
* New upstream security and maintenance release:
- Fixed resetting passwords
- (bug 58640) Fixed compatibility issue with PCRE 8.34 that
caused pages to appear blank or with missing text
-- Thorsten Glaser <email address hidden> Thu, 03 Apr 2014 10:11:51 +0200
-
mediawiki (1:1.19.14+dfsg-1) unstable; urgency=medium
* New upstream security fix release (Closes: #742857):
- (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword
- (bug 62467) Set a title for the context during import on the cli
* Use upstream-provided signing key bundle
-- Thorsten Glaser <email address hidden> Fri, 28 Mar 2014 09:56:29 +0100
-
mediawiki (1:1.19.13+dfsg-1) unstable; urgency=medium
* New upstream security fix release:
- (bug 61362) Don't find links in the middle of api.php links
* Raise session max lifetime (Closes: #648823)
-- Thorsten Glaser <email address hidden> Mon, 24 Mar 2014 09:42:23 +0100
-
mediawiki (1:1.19.12+dfsg-1) unstable; urgency=medium
[ Florian Weimer ]
* Add “Replaces: mediawiki-extensions-confirmedit”
[ Thorsten Glaser ]
* debian/watch: Change download location – the one we were using
didn’t have the new release, and the announcement pointed to a
different location – needs clarification which download URI is
canonical…
* debian/upstream/signing-key.asc: Add mah’s key, too…
* New upstream security fix release:
- (bug 60771) disallow iframe and unusual namespaces in SVG
- (bug 61346) make token comparison use constant time
* Fix stuff lintian pointed out (thanks)
-- Thorsten Glaser <email address hidden> Fri, 28 Feb 2014 18:49:08 +0100
-
mediawiki (1:1.19.11+dfsg-1) unstable; urgency=medium
* New upstream security fix release:
- CVE-2014-1610 (bug 60339) remote code exec in Djvu thumbnailer
* Update upstream signing key location to devscript maintainers’
latest whim…
* Rely on uscan in get-orig-source instead of downloading manually
-- Thorsten Glaser <email address hidden> Wed, 29 Jan 2014 10:10:39 +0100
-
mediawiki (1:1.19.10+dfsg-1) unstable; urgency=high
* New upstream security fix release:
- CVE-2013-4568 (bug 58088) Don't normalize U+FF3C to \ in CSS Checks
- CVE-2013-6452 (bug 57550) Disallow stylesheets in SVG Uploads
- CVE-2013-6453 (bug 58553) Return error on invalid XML for SVG Uploads
- CVE-2013-6454 (bug 58472) Disallow -o-link in styles
- CVE-2013-6472 (bug 58699) Fix RevDel log entry information leaks
-- Thorsten Glaser <email address hidden> Tue, 14 Jan 2014 10:51:35 +0100
-
mediawiki (1:1.19.9+dfsg-2) unstable; urgency=medium
* Ship files in /etc/mediawiki-extensions/extensions-available/
for extensions shipped with the mediawiki core
* Correct typo in changelog for 1:1.19.9+dfsg-1
-- Thorsten Glaser <email address hidden> Tue, 31 Dec 2013 14:00:37 +0100
-
mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high
* Non-maintainer upload
* Security fixes (Closes: #729629):
- Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's
blacklist [CVE-2013-4567, CVE-2013-4568]
- Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers
when a user was autocreated, causing the user's session cookies to be
cached, and returned to other users [CVE-2013-4572]
* New Polish debconf translation, thanks to Magdalena Z. Kubot
(Closes: #731381)
-- David Prévot <email address hidden> Sun, 08 Dec 2013 16:13:40 -0400
-
mediawiki (1:1.19.8+dfsg-2.1) unstable; urgency=low
* Provide includes/libs in mediawiki-classes (Closes: #703837)
-- David Prévot <email address hidden> Wed, 23 Oct 2013 11:29:27 -0400
-
mediawiki (1:1.19.8+dfsg-2) unstable; urgency=low
[ Thorsten Glaser ]
* debian/rules: get-orig-source now leaves the repacked origtgz
in ./ ipv in ./debian/ according to Policy §4.9 (noticed by
Natureshadow)
* Add version guards to apache.conf
[ Jonathan Wiltshire ]
* Update apache.conf for Apache 2.4 syntax changes, and document
in debian/NEWS (Closes: #723620, #669832)
-- Jonathan Wiltshire <email address hidden> Tue, 24 Sep 2013 19:04:42 +0100
-
mediawiki (1:1.19.8+dfsg-1) unstable; urgency=low
* mediawiki-math is now called mediawiki-extensions-math
⇒ update the package relationship fields
* Make my self-drawn CC images nicer and more consistent
* New upstream security release
* Secure the default images directory (Closes: #716884)
* Allow PDF upload (Closes: #716957)
* Nuke ref to ENOENT dir (Closes: #705107)
* Update debian/copyright information
* Pull upstream patch to fix variables (Closes: #709943)
* Sort patches ASCIIbetically; refresh them against new version
* For Apache 2.4, move configuration file (Closes: #669832)
-- Thorsten Glaser <email address hidden> Thu, 05 Sep 2013 17:07:53 +0200
-
mediawiki (1:1.19.7+dfsg-1) unstable; urgency=low
* New low-impact upstream security release
* Refresh patches
* Change watch file to track upstream LTS version
* Replace trademarked image files by self-drawn Free ones
* Fix VCS-* URLs – prodded by lintian from experimental
* Policy 3.9.4 with no further changes needed
-- Thorsten Glaser <email address hidden> Thu, 23 May 2013 11:03:39 +0000
-
mediawiki (1:1.19.6-1) unstable; urgency=low
* New upstream security release (Closes: #706601):
- SVG script filtering could be bypassed for Chrome and Firefox
clients by using an encoding that MediaWiki understood, but these
browsers interpreted as UTF-8. (CVE-2013-2031)
- Internal review discovered that extensions were not given the
opportunity to disable a password reset, which could lead to
circumvention of two-factor authentication (CVE-2013-2032)
-- Jonathan Wiltshire <email address hidden> Sat, 11 May 2013 16:07:43 +0100
-
mediawiki (1:1.19.5-1) unstable; urgency=high
[ Platonides ]
* Update config URL in README.Debian (Closes: #703804)
[ Thorsten Glaser ]
* Re-add LocalSettings creation snippet for support of the
mediawiki-extensions Debian packaging (Closes: #703852)
* New upstream security-only release:
- (bug 47251) SECURITY: Disable external entities in Import
- (bug 46859) SECURITY: Disable external entities in XMLReader
- (bug 46084) SECURITY: Sanitize $limitReport before outputting
- (bug 43594) Fix notices displayed on PHP 5.4
- (bug 40585) Don't drop 'step="any"' in HTML input fields.
* Refresh patches against new upstream code
-- Thorsten Glaser <email address hidden> Tue, 16 Apr 2013 11:04:05 +0200
-
mediawiki (1:1.19.4-1) unstable; urgency=high
* Urgency high for security fix
* New upstream release:
- New preference type - 'api'. Preferences of this type are not shown
on Special:Preferences, but are still available via the
action=options API.
- (bug 44010) Context is passed to UserGetLanguageObject.
- The recursion guard on RequestContext::getLanguage() was weakened.
- (bug 44135/bug 42441) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST
- (bug 43518) API action=unblock should return the user name, not the
full user object (Closes: #702305)
- Increase timeout values for some tests
-- Jonathan Wiltshire <email address hidden> Mon, 04 Mar 2013 23:06:30 +0000
-
mediawiki (1:1.19.3-2) unstable; urgency=low
* Add missing changelog entries to 1:1.19.3-1 upload (oops…)
* Upstream patch to fix XHTML issue in Special:Upload (BZ#40889)
* Upstream patch to fix another MySQLism (BZ#39635) (Closes: #700595)
* Update lintian overrides
-- Thorsten Glaser <email address hidden> Mon, 18 Feb 2013 10:24:08 +0100
-
mediawiki (1:1.19.3-1) unstable; urgency=high
[ Dominik George ]
* Team upload
* New upstream version fixes security issues (Closes: #694998)
+ Prevent session fixation in Special:UserLogin (CVE-2012-5391)
https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
+ Prevent linker regex from exceeding PCRE backtrack limit
https://bugzilla.wikimedia.org/show_bug.cgi?id=41400
[ Thorsten Glaser ]
* Fix spelling error in README.Debian (thanks lintian!)
-- Dominik George <email address hidden> Wed, 12 Dec 2012 09:44:08 +0100
-
mediawiki (1:1.19.2-2) unstable; urgency=low
* debian/watch: mangle the epoch away so DDPO is green again
* Break mw-ext-fckeditor, it doesn’t work with 1.19 (Closes: #689375)
-- Thorsten Glaser <email address hidden> Tue, 02 Oct 2012 14:09:42 +0200
-
mediawiki (1:1.19.2-1) unstable; urgency=low
[ Thorsten Glaser ]
* New upstream: security fixes for CVE-2012-4377, CVE-2012-4378,
CVE-2012-4379, CVE-2012-4380, CVE-2012-4381, CVE-2012-4382
(Closes: #686330)
* Prevent <table></table> without any <tr /> inside, globally
* Fix more cases of not checking $wgHtml5
* MW’s ID (XML) sanitiser is there for a reason, use it!
* Prevent <ul></ul> without any <li /> inside in MonoBook
* Fix invalid XHTML caused by code not honouring $wgHtml5
* Quell some PHP warnings from sloppy code
* Do the wfSuppressWarnings patch used with FusionForge right
* Add myself to Uploaders and quieten lintian a bit
* Do not replace patched jquery-tablesorter with unpatched one;
unbreaks sortable tables (Closes: #687519)
* Update versioned Breaks against fusionforge and mw-extensions
[ Jonathan Wiltshire ]
* Add Recommends on mediawiki-extensions-base and php-wikidiff2
-- Thorsten Glaser <email address hidden> Thu, 20 Sep 2012 13:40:12 +0200
-
mediawiki (1:1.19.1-1) unstable; urgency=low
* New upstream bug fix release
Closes: #672818, 677895 (CVE-2012-2698)
- debian/rules: remove all .gitignore files too, since upstream
switched to git VCS
* Remove last traces of mediaiki-math binary package
* Remove CDBS logic and dependencies and use dh
auto-sequencer instead
* Depend on debhelper >=9 and use compat level 9; this
stops dh_pysupport adding files to the build
* Do not run update debconf translations on clean
* Disable patch texvc_location.patch; this really belongs in mediawiki-math
now and especially considering <email address hidden>
* Add a versioned Breaks on fusionforge-plugin-mediawiki
* Upload to unstable
-- Jonathan Wiltshire <email address hidden> Mon, 18 Jun 2012 15:25:25 +0100
-
mediawiki (1:1.15.5-10) unstable; urgency=low
* Team upload.
* Apply SQL fix for schema search paths by Roland Mas (#673125)
-- Thorsten Glaser <email address hidden> Wed, 30 May 2012 16:50:36 +0200
-
mediawiki (1:1.15.5-9) unstable; urgency=high
* Team upload.
* Address MW security release 1.18.1-1 (Closes: #666269)
- CVE-2012-1578 MW#34212: doesn’t affect 1.15
- CVE-2012-1579 MW#34907: doesn’t affect 1.15
- CVE-2012-1580 MW#35317: doesn’t affect 1.15
- CVE-2012-1581 MW#35078: fix backported
- CVE-2012-1582 MW#35315: fix backported
* Apply some lintian cleanup
-- Thorsten Glaser <email address hidden> Wed, 16 May 2012 15:01:06 +0200
-
mediawiki (1:1.15.5-8) unstable; urgency=low
* Fix reversing IPv4 address for SORBS blacklist; patch from
Nye Liu <email address hidden> (Closes: #658672)
* Backport a method called by CVE-2011-1580.patch (Closes: #658682)
* Fix warnings issued by PHP 5.4 (Closes: #661682)
* Suggest librsvg-bin (Closes: #644731)
* Demote database server to Suggests (Closes: #617561)
* Add dansk translation (Closes: #627848)
-- Thorsten Glaser <email address hidden> Thu, 15 Mar 2012 12:52:09 +0100
-
mediawiki (1:1.15.5-7) unstable; urgency=high
* debian/patches/CVE-2011-4360.patch: remove – the information
disclosure does not happen on 1.15 and the patch would not
work anyway because the OutputPage object has no setTitle
method (this prevents a PHP fatal error when someone has no
permissions, instead reverting to the pre-1:1.15.5-4 behaviour
of showing a page asking the user to log in)
-- Thorsten Glaser <email address hidden> Fri, 20 Jan 2012 17:13:28 +0100
-
mediawiki (1:1.15.5-6) unstable; urgency=low
[ Thorsten Glaser ]
* debian/patches/khtml_not_ff9.patch: new (Closes: #652948)
[ Jonathan Wiltshire ]
* debian/patches/CVE-2012-0046.patch: security fix for unintended exposure
of hidden content through cache pollution, CVE-2012-0046 (Closes: #655694)
-- Jonathan Wiltshire <email address hidden> Fri, 13 Jan 2012 09:54:41 +0000
-
mediawiki (1:1.15.5-5) unstable; urgency=high
* Security fixes from upstream:
CVE-2011-1578 - XSS for IE <= 6
CVE-2011-1579 - CSS validation error in wikitext parser
CVE-2011-1580 - access control checks on transwiki import feature
CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
-- Jonathan Wiltshire <email address hidden> Sun, 18 Dec 2011 23:48:18 +0000
-
mediawiki (1:1.15.5-4) unstable; urgency=low
[ Thorsten Glaser ]
* debian/patches/fix_invalid_sql.patch: new (Closes: #615983)
[ Jonathan Wiltshire ]
* Security fixes from upstream (Closes: #650434):
CVE-2011-4360 - page titles on private wikis could be exposed
bypassing different page ids to index.php
CVE-2011-4361 - action=ajax requests were dispatched to the
relevant function without any read permission checks being done
-- Jonathan Wiltshire <email address hidden> Wed, 30 Nov 2011 22:42:52 +0000
-
mediawiki (1:1.15.5-3) unstable; urgency=high
[ Thorsten Glaser ] * debian/patches/fix_datetime.patch: new, convert argument into the format expected by other methods, fixes date/time output in e.g. the News/RSS extensions [ Jonathan Wiltshire ] * CVE-2011-0047: Protect against a CSS injection vulnerability (closes: #611787) * Update my email address -- Jonathan Wiltshire <email address hidden> Sun, 06 Feb 2011 15:53:48 +0000
-
mediawiki (1:1.15.5-1) unstable; urgency=high
[ Thorsten Glaser ]
* debian/patches/suppress_warnings.patch: new, suppress warnings
about session_start() being called twice also in the PHP error
log, not just MediaWiki’s, for example run from FusionForge
[ Jonathan Wiltshire ]
* New upstream security release:
- correctly set caching headers to prevent private data leakage
(closes: #590660, LP: #610782)
- fix XSS vulnerability in profileinfo.php
(closes: #590669, LP: #610819)
-- Jonathan Wiltshire <email address hidden> Wed, 28 Jul 2010 12:23:04 +0100
-
mediawiki (1:1.15.4-2) unstable; urgency=low
[ Thorsten Glaser ]
* debian/control: add Vcs-SVN and Vcs-Browser
[ Jonathan Wiltshire ]
* debian/source/format: Switch to source format 3.0 (quilt)
* debian/rules: Drop CDBS quilt logic
* debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
remove the original definition (LP: #406358)
* debian/README.source: document use of quilt and format 3.0 (quilt)
* New patch backup_documentation.patch improves documentation of
maintenance/dumpBackup.php (closes: #572355)
* Standards version 3.9.0 (no changes)
-- Jonathan Wiltshire <email address hidden> Tue, 29 Jun 2010 14:20:35 +0100
-
mediawiki (1:1.15.4-1) unstable; urgency=high
[ Jonathan Wiltshire ]
* New upstream security release (closes: #585918).
* CVE-2010-1647:
Fix a cross-site scripting (XSS) vulnerability which allows
remote attackers to inject arbitrary web script or HTML via crafted
Cascading Style Sheets (CSS) strings that are processed as script by
Internet Explorer.
* CVE-2010-1648:
Fix a cross-site request forgery (CSRF) vulnerability in the login interface
which allows remote attackers to hijack the authentication of users for
requests that (1) create accounts or (2) reset passwords, related to the
Special:Userlogin form.
[ Romain Beauxis ]
* Put debian's package version in declared version.
Should help sysadmins to keep track of installed
versions, in particular with regard to security
updates.
* Added Jonathan Wiltshire to uploaders.
* Do not clan math dir if it does not exist (for instance
when running clean from SVN).
-- Romain Beauxis <email address hidden> Mon, 21 Jun 2010 23:41:29 +0200
-
mediawiki (1:1.15.3-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password."
-- Romain Beauxis <email address hidden> Fri, 16 Apr 2010 14:44:09 -0500
-
mediawiki (1:1.15.2-1) unstable; urgency=high
* New upstream release.
* Fixes security issue:
"Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected."
* Updated standards.
* Removed section about upgrading from mediawiki1.x packages
in README.Debian since they do not exist in any supported distribution
anymore.
* Switched php5-gd and imagemagick in Suggests. Closes: #542008
* Backported patch from revision 51083 to fix a bug with invalid titles.
Closes: #537134
* Backported patch from revision 61090 to add a unique guid per RSS
feed element.
Closes: #383130
* Refreshed patches.
-- Romain Beauxis <email address hidden> Mon, 15 Mar 2010 11:41:07 -0500
-
mediawiki (1:1.15.1-1) unstable; urgency=low
* New upstream release.
* Ack previous NMU, thanks to Nico Golde for taking care
of this.
-- Romain Beauxis <email address hidden> Sun, 09 Aug 2009 10:46:41 -0500
-
mediawiki (1:1.15.0-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cross-site scripting in [[Special:Block]]
(No CVE id yet; XSS-no-CVE.patch; Closes: #537634).
-- Nico Golde <email address hidden> Sun, 26 Jul 2009 18:11:07 +0200
-
mediawiki (1:1.15.0-1) unstable; urgency=low
* New upstream release.
* Upstream added support for OASIS documents.
Closes: #530328
* Refreshed quilt patches
* Bumped standards versions to 3.8.2
* Bumped compat to 7
* Pointed to GPL-2 in debian/copyright
* Added php5-sqlite to possible DB backend dependencies.
Closes: #501569
* Proofread README.Debian, upgrade is documented there.
Closes: #520121
-- Romain Beauxis <email address hidden> Fri, 19 Jun 2009 01:38:50 +0200
-
mediawiki (1:1.14.0-1) unstable; urgency=low
* New upstream release.
* Fixed issues in the installer:
"A number of cross-site scripting (XSS) security vulnerabilities were
discovered in the web-based installer (config/index.php).
These vulnerabilities all require a live installer once the installer
has been used to install a wiki, it is deactivated.
Note that cross-site scripting vulnerabilities can be used to attack
any website in the same cookie domain. So if you have an uninstalled
copy of MediaWiki on the same site as an active web service, MediaWiki
could be used to attack the active service."
Closes: #514547
* Fixed typo in README.Debian
Closes: #515192
* Updated japanese debconf translation, thanks to Hideki Yamane
Closes: #510896
* Added a file in debian/copyright
-- Romain Beauxis <email address hidden> Fri, 06 Mar 2009 20:29:17 +0100
-
mediawiki (1:1.13.3-1) unstable; urgency=low
* New upstream release.
* Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
"An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2."
Closes: #508868
* Fix CVE-2008-5250: several local script injection vulnerabilities
in MediaWiki:
"o A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
o A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled."
Closes: #508869
* Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
feature in MediaWiki:
"A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0."
Closes: #508870
-- Romain Beauxis <email address hidden> Thu, 18 Dec 2008 02:37:58 +0100
-
mediawiki (1:1.13.2-1) unstable; urgency=low
* New upstream release
* Fix CVE-2008-4408: XSS in mediawiki:
"Cross-site scripting (XSS) vulnerability allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component."
Closes: #501115
-- Romain Beauxis <email address hidden> Sat, 11 Oct 2008 15:02:39 +0200
