CVS commit: [pkgsrc-2009Q4] pkgsrc/www/mediawiki

[Matthias Scheler <tron%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   tron
Date:           Tue Mar  9 10:51:52 UTC 2010

Modified Files:
        pkgsrc/www/mediawiki [pkgsrc-2009Q4]: Makefile distinfo

Log Message:
Pullup ticket #3046 - requested by martti
mediawiki: security update

Revisions pulled up:
- www/mediawiki/Makefile                1.10
- www/mediawiki/distinfo                1.6
---
Module Name:    pkgsrc
Committed By:   martti
Date:           Tue Mar  9 05:16:42 UTC 2010

Modified Files:
        pkgsrc/www/mediawiki: Makefile distinfo

Log Message:
Updated www/mediawiki to 1.15.2

Two security issues were discovered:

A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.

A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.9.4.1 pkgsrc/www/mediawiki/Makefile
cvs rdiff -u -r1.5 -r1.5.4.1 pkgsrc/www/mediawiki/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.