FreeBSD Mail Archives

Date:      Sat, 1 Sep 2012 12:44:33 +0000 (UTC)
From:      Wen Heping <wen@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r303471 - in head: security/vuxml www/mediawiki www/mediawiki118
Message-ID:  <201209011244.q81CiXGR010482@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: wen
Date: Sat Sep  1 12:44:33 2012
New Revision: 303471
URL: http://svn.freebsd.org/changeset/ports/303471

Log:
  - Update www/mediawiki to 1.19.2
  - Update www/mediawiki118 to 1.18.5
  - Document the security bugs

Modified:
  head/security/vuxml/vuln.xml
  head/www/mediawiki/Makefile
  head/www/mediawiki/distinfo
  head/www/mediawiki118/Makefile
  head/www/mediawiki118/distinfo

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sat Sep  1 12:17:56 2012	(r303470)
+++ head/security/vuxml/vuln.xml	Sat Sep  1 12:44:33 2012	(r303471)
@@ -51,6 +51,73 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="7c0fecd6-f42f-11e1-b17b-000c2977ec30">
+    <topic>mediawiki -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>mediawiki</name>
+	<range><lt>1.19.2</lt></range>
+      </package>
+      <package>
+	<name>mediawiki118</name>
+	<range><lt>1.18.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+        <p>Mediawiki reports:</p>
+        <blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html">;
+          <p>(Bug 39700) Wikipedia administrator Writ Keeper discovered
+            a stored XSS (HTML injection) vulnerability. This was 
+            possible due to the handling of link text on File: links for
+            nonexistent files. MediaWiki 1.16 and later is affected.</p>
+          <p>(Bug 39180) User Fomafix reported several DOM-based XSS
+            vulnerabilities, made possible by a combination of loose
+            filtering of the uselang parameter, and JavaScript gadgets
+            on various language Wikipedias.</p>
+          <p>(Bug 39180) During internal review, it was discovered that
+            CSRF tokens, available via the api, were not protected with
+            X-Frame-Options headers. This could lead to a CSRF vulnerability
+            if the API response is embedded in an external website using
+            using an iframe.</p>
+          <p>(Bug 39824) During internal review, it was discovered extensions
+            were not always allowed to prevent the account creation action.
+            This allowed users blocked by the GlobalBlocking extension to
+            create accounts.</p>
+          <p>(Bug 39184) During internal review, it was discovered that
+            password data was always saved to the local MediaWiki database
+            even if authentication was handled by an extension, such as LDAP.
+            This could allow a compromised MediaWiki installation to leak
+            information about user's LDAP passwords. Additionally, in situations
+            when an authentication plugin returned false in its strict
+            function, this would allow old passwords to be used for accounts
+            that did not exist in the external system, indefinitely.</p>
+          <p>(Bug 39823) During internal review, it was discovered that metadata
+            about blocks, hidden by a user with suppression rights, was visible
+            to administrators.</p> 
+        </blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39700</url>;
+      <url>https://bugzilla.wikimedia.org/show_bug.cgi?id=37587</url>;
+      <url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39180</url>;
+      <url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39824</url>;
+      <url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39184</url>;
+      <url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39823</url>;
+      <cvename>CVE-2012-4377</cvename>
+      <cvename>CVE-2012-4378</cvename>
+      <cvename>CVE-2012-4379</cvename>
+      <cvename>CVE-2012-4380</cvename>
+      <cvename>CVE-2012-4381</cvename>
+      <cvename>CVE-2012-4382</cvename>
+    </references>
+    <dates>
+      <discovery>2012-08-27</discovery>
+      <entry>2012-09-01</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5415f1b3-f33d-11e1-8bd8-0022156e8794">
     <topic>wireshark -- denial of service in DRDA dissector</topic>
     <affects>

Modified: head/www/mediawiki/Makefile
==============================================================================
--- head/www/mediawiki/Makefile	Sat Sep  1 12:17:56 2012	(r303470)
+++ head/www/mediawiki/Makefile	Sat Sep  1 12:44:33 2012	(r303471)
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	mediawiki
-PORTVERSION=	1.19.1
+PORTVERSION=	1.19.2
 CATEGORIES=	www
 MASTER_SITES=	http://dumps.wikimedia.org/mediawiki/${PORTVERSION:R}/
 

Modified: head/www/mediawiki/distinfo
==============================================================================
--- head/www/mediawiki/distinfo	Sat Sep  1 12:17:56 2012	(r303470)
+++ head/www/mediawiki/distinfo	Sat Sep  1 12:44:33 2012	(r303471)
@@ -1,2 +1,2 @@
-SHA256 (mediawiki-1.19.1.tar.gz) = 3f4e254b5a7fd74f9f623736d56e6ae40acad3d69c10d80cd7bc9b8b588d461a
-SIZE (mediawiki-1.19.1.tar.gz) = 17929538
+SHA256 (mediawiki-1.19.2.tar.gz) = fe5b8de52e546767aee018bb3f2d50b64ffd6c914e145de46de6001ec6691a7e
+SIZE (mediawiki-1.19.2.tar.gz) = 18266096

Modified: head/www/mediawiki118/Makefile
==============================================================================
--- head/www/mediawiki118/Makefile	Sat Sep  1 12:17:56 2012	(r303470)
+++ head/www/mediawiki118/Makefile	Sat Sep  1 12:44:33 2012	(r303471)
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	mediawiki
-PORTVERSION=	1.18.4
+PORTVERSION=	1.18.5
 CATEGORIES=	www
 MASTER_SITES=	http://dumps.wikimedia.org/mediawiki/${PORTVERSION:R}/
 

Modified: head/www/mediawiki118/distinfo
==============================================================================
--- head/www/mediawiki118/distinfo	Sat Sep  1 12:17:56 2012	(r303470)
+++ head/www/mediawiki118/distinfo	Sat Sep  1 12:44:33 2012	(r303471)
@@ -1,2 +1,2 @@
-SHA256 (mediawiki-1.18.4.tar.gz) = 0067ee3b200316791a8059dba9a164744facf216c26c6867a82643d4c72f54b6
-SIZE (mediawiki-1.18.4.tar.gz) = 17376708
+SHA256 (mediawiki-1.18.5.tar.gz) = d50b24e7ca680765e8848372359204620f5d30a33fbf3d65d12e8c9b35afa76f
+SIZE (mediawiki-1.18.5.tar.gz) = 17333243

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209011244.q81CiXGR010482>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation