kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/www/mediawiki
History
wen 51e8a514ff Update to 1.25.2 
Upstream changes:
== Security fixes ==

* Internal review discovered that Special:DeletedContributions did not
properly
protect the IP of autoblocked users. This fix makes the functionality of
Special:DeletedContributions consistent with Special:Contributions and
Special:BlockList.
<https://phabricator.wikimedia.org/T106893>

* Internal review discovered that watchlist anti-csrf tokens were not being
compared in constant time, which could allow various timing attacks. This
could
allow an attacker to modify a user's watchlist via csrf.
<https://phabricator.wikimedia.org/T94116>

* John Menerick reported that MediaWiki's thumb.php failed to sanitize
various
error messages, resulting in xss.
<https://phabricator.wikimedia.org/T97391>

Additionally, the following extensions have been updated to fix security
issues:

* Extension:SemanticForms - MediaWiki user Grunny discovered multiple
reflected
xss vectors in SemanticForms. Further internal review discovered and fixed
other reflected and stored xss vectors.
<https://phabricator.wikimedia.org/T103391>
<https://phabricator.wikimedia.org/T103765>
<https://phabricator.wikimedia.org/T103761>

* Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal
review discovered that the contib directory for GeSHi was re-included in
MediaWiki 1.25. Some scripts could be potentially be used for DoS, and
DAU Huy Ngoc discovered an xss vector. All contrib scripts have been
removed.
<https://phabricator.wikimedia.org/T108198>

* Extension:TimedMediaHandler - User:McZusatz reported that resetting
transcodes deleted the transcode without creating a new one, which could be
used for vandalism or potentially DoS.
<https://phabricator.wikimedia.org/T100211>

* Extension:Quiz - Internal review discovered that Quiz did not properly
escape
regex metacharacters in a user controlled regular expression, enabling a DoS
vector.
<https://phabricator.wikimedia.org/T97083>

* Extension:Widgets - MediaWiki developer Majr reported a potential HTML
injection (xss) vector.
<https://phabricator.wikimedia.org/T88964>


== Bug Fixes in 1.25.2 ==
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
  policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
  false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
  $wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
  a "manifest_version" property for 1.26 compatability will no longer
  trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
  page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
  named variable. Add an additional check that an index is defined.
2015-08-12 13:49:40 +00:00
..
files
DESCR
distinfo Update to 1.25.2 2015-08-12 13:49:40 +00:00
Makefile Update to 1.25.2 2015-08-12 13:49:40 +00:00
MESSAGE
options.mk
PLIST Update to 1.25.2 2015-08-12 13:49:40 +00:00