From owner-svn-ports-head@FreeBSD.ORG Sat Sep 1 12:44:34 2012 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6AA2C106564A; Sat, 1 Sep 2012 12:44:34 +0000 (UTC) (envelope-from wen@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 53DD98FC0A; Sat, 1 Sep 2012 12:44:34 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q81CiYhp010489; Sat, 1 Sep 2012 12:44:34 GMT (envelope-from wen@svn.freebsd.org) Received: (from wen@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q81CiXGR010482; Sat, 1 Sep 2012 12:44:33 GMT (envelope-from wen@svn.freebsd.org) Message-Id: <201209011244.q81CiXGR010482@svn.freebsd.org> From: Wen Heping Date: Sat, 1 Sep 2012 12:44:33 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r303471 - in head: security/vuxml www/mediawiki www/mediawiki118 X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Sep 2012 12:44:34 -0000 Author: wen Date: Sat Sep 1 12:44:33 2012 New Revision: 303471 URL: http://svn.freebsd.org/changeset/ports/303471 Log: - Update www/mediawiki to 1.19.2 - Update www/mediawiki118 to 1.18.5 - Document the security bugs Modified: head/security/vuxml/vuln.xml head/www/mediawiki/Makefile head/www/mediawiki/distinfo head/www/mediawiki118/Makefile head/www/mediawiki118/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Sep 1 12:17:56 2012 (r303470) +++ head/security/vuxml/vuln.xml Sat Sep 1 12:44:33 2012 (r303471) @@ -51,6 +51,73 @@ Note: Please add new entries to the beg --> + + mediawiki -- multiple vulnerabilities + + + mediawiki + 1.19.2 + + + mediawiki118 + 1.18.5 + + + + +

Mediawiki reports:

+
+

(Bug 39700) Wikipedia administrator Writ Keeper discovered + a stored XSS (HTML injection) vulnerability. This was + possible due to the handling of link text on File: links for + nonexistent files. MediaWiki 1.16 and later is affected.

+

(Bug 39180) User Fomafix reported several DOM-based XSS + vulnerabilities, made possible by a combination of loose + filtering of the uselang parameter, and JavaScript gadgets + on various language Wikipedias.

+

(Bug 39180) During internal review, it was discovered that + CSRF tokens, available via the api, were not protected with + X-Frame-Options headers. This could lead to a CSRF vulnerability + if the API response is embedded in an external website using + using an iframe.

+

(Bug 39824) During internal review, it was discovered extensions + were not always allowed to prevent the account creation action. + This allowed users blocked by the GlobalBlocking extension to + create accounts.

+

(Bug 39184) During internal review, it was discovered that + password data was always saved to the local MediaWiki database + even if authentication was handled by an extension, such as LDAP. + This could allow a compromised MediaWiki installation to leak + information about user's LDAP passwords. Additionally, in situations + when an authentication plugin returned false in its strict + function, this would allow old passwords to be used for accounts + that did not exist in the external system, indefinitely.

+

(Bug 39823) During internal review, it was discovered that metadata + about blocks, hidden by a user with suppression rights, was visible + to administrators.

+
+ +
+ + https://bugzilla.wikimedia.org/show_bug.cgi?id=39700 + https://bugzilla.wikimedia.org/show_bug.cgi?id=37587 + https://bugzilla.wikimedia.org/show_bug.cgi?id=39180 + https://bugzilla.wikimedia.org/show_bug.cgi?id=39824 + https://bugzilla.wikimedia.org/show_bug.cgi?id=39184 + https://bugzilla.wikimedia.org/show_bug.cgi?id=39823 + CVE-2012-4377 + CVE-2012-4378 + CVE-2012-4379 + CVE-2012-4380 + CVE-2012-4381 + CVE-2012-4382 + + + 2012-08-27 + 2012-09-01 + +
+ wireshark -- denial of service in DRDA dissector Modified: head/www/mediawiki/Makefile ============================================================================== --- head/www/mediawiki/Makefile Sat Sep 1 12:17:56 2012 (r303470) +++ head/www/mediawiki/Makefile Sat Sep 1 12:44:33 2012 (r303471) @@ -6,7 +6,7 @@ # PORTNAME= mediawiki -PORTVERSION= 1.19.1 +PORTVERSION= 1.19.2 CATEGORIES= www MASTER_SITES= http://dumps.wikimedia.org/mediawiki/${PORTVERSION:R}/ Modified: head/www/mediawiki/distinfo ============================================================================== --- head/www/mediawiki/distinfo Sat Sep 1 12:17:56 2012 (r303470) +++ head/www/mediawiki/distinfo Sat Sep 1 12:44:33 2012 (r303471) @@ -1,2 +1,2 @@ -SHA256 (mediawiki-1.19.1.tar.gz) = 3f4e254b5a7fd74f9f623736d56e6ae40acad3d69c10d80cd7bc9b8b588d461a -SIZE (mediawiki-1.19.1.tar.gz) = 17929538 +SHA256 (mediawiki-1.19.2.tar.gz) = fe5b8de52e546767aee018bb3f2d50b64ffd6c914e145de46de6001ec6691a7e +SIZE (mediawiki-1.19.2.tar.gz) = 18266096 Modified: head/www/mediawiki118/Makefile ============================================================================== --- head/www/mediawiki118/Makefile Sat Sep 1 12:17:56 2012 (r303470) +++ head/www/mediawiki118/Makefile Sat Sep 1 12:44:33 2012 (r303471) @@ -6,7 +6,7 @@ # PORTNAME= mediawiki -PORTVERSION= 1.18.4 +PORTVERSION= 1.18.5 CATEGORIES= www MASTER_SITES= http://dumps.wikimedia.org/mediawiki/${PORTVERSION:R}/ Modified: head/www/mediawiki118/distinfo ============================================================================== --- head/www/mediawiki118/distinfo Sat Sep 1 12:17:56 2012 (r303470) +++ head/www/mediawiki118/distinfo Sat Sep 1 12:44:33 2012 (r303471) @@ -1,2 +1,2 @@ -SHA256 (mediawiki-1.18.4.tar.gz) = 0067ee3b200316791a8059dba9a164744facf216c26c6867a82643d4c72f54b6 -SIZE (mediawiki-1.18.4.tar.gz) = 17376708 +SHA256 (mediawiki-1.18.5.tar.gz) = d50b24e7ca680765e8848372359204620f5d30a33fbf3d65d12e8c9b35afa76f +SIZE (mediawiki-1.18.5.tar.gz) = 17333243