![[BACK]](/icons/back.gif){kind=icon}
Up to [NetBSD + pkgsrc-wip] / pkgsrc / www / mediawiki
Request diff between arbitrary revisions - Display revisions graphically
Keyword substitution: kv
Default branch: MAIN
Pullup ticket #3649 - requested by obache
www/mediawiki: security update
Revisions pulled up:
- www/mediawiki/Makefile 1.18
- www/mediawiki/PLIST 1.7
- www/mediawiki/distinfo 1.11
---
Module Name: pkgsrc
Committed By: obache
Date: Fri Jan 13 11:27:17 UTC 2012
Modified Files:
pkgsrc/www/mediawiki: Makefile PLIST distinfo
Log Message:
Update mediawiki to 1.17.2.
== MediaWiki 1.17.2 ==
2012-01-11
This a maintenance and security release of the MediaWiki 1.17 branch.
=== Security changes ===
* (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution.
=== Changes since 1.17.1 ===
* (bug 32709) Private Wiki users were always taken to Special:Badtitle on login.
== MediaWiki 1.17.1 ==
2011-11-24
This a maintenance and security release of the MediaWiki 1.17 branch.
=== Security changes ===
* (bug 32276) Skins were generating output using the internal page title which
would allow anonymous users to determine wheter a page exists, potentially
leaking private data. In fact, the curid and oldid request parameters would
allow page titles to be enumerated even when they are not guessable.
* (bug 32616) action=ajax requests were dispatched to the relevant internal
functions without any read permission checks being done. This could lead to
data leakage on private wikis.
Update mediawiki to 1.17.2. == MediaWiki 1.17.2 == 2012-01-11 This a maintenance and security release of the MediaWiki 1.17 branch. === Security changes === * (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution. === Changes since 1.17.1 === * (bug 32709) Private Wiki users were always taken to Special:Badtitle on login. == MediaWiki 1.17.1 == 2011-11-24 This a maintenance and security release of the MediaWiki 1.17 branch. === Security changes === * (bug 32276) Skins were generating output using the internal page title which would allow anonymous users to determine wheter a page exists, potentially leaking private data. In fact, the curid and oldid request parameters would allow page titles to be enumerated even when they are not guessable. * (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis.
Bump PKGREVISION from PHP_VERSION_DEFAULT changes.
Add an apache option (defaults on) to allow building without apache
Updated www/mediawiki to 1.17.0
Summary of selected changes in 1.17
Selected changes since MediaWiki 1.16 that may be of interest:
A new installer has been introduced. It has a wizard-style interface which is translated into many languages. Many shortcomings in the old installer were addressed with this rewrite. Note that it is no longer required for the config directory to be made writable by the webserver. Instead the generated LocalSettings.php file is offered as a download, which you must then upload to the wiki's base directory.
ResourceLoader, a new framework for delivering client-side resources such as JavaScript and CSS, has been introduced. These resources are now delivered through the new entry point script "load.php", instead of as static files served directly by the web server. This allows minification, compression and client-side caching to be used more effectively, which should provide a net performance improvement for most users.
Category sorting has been improved.
Sorting is now case insensitive.
Sub-categories, pages and files can now be paged separately.
When several pages are given the same sort key, they sort by their names instead of randomly.
The lowest supported version of PHP is now 5.2.3. If necessary, please upgrade PHP prior to upgrading MediaWiki.
Summary of selected changes in 1.16
Selected changes since MediaWiki 1.15 that may be of interest:
Watchlists now have RSS/Atom feeds. RSS feeds generally are now hidden, since Atom is a better protocol and is supported by virtually all clients.
It's now possible to block users from sending email via Special:Emailuser.
The maintenance script system was overhauled. Most maintenance scripts now have a useful help page when you run them with --help.
AdminSettings.php is no longer required in order to run maintenance scripts. You can just set $wgDBadminuser and $wgDBadminpassword in your LocalSettings.php instead.
The preferences system was overhauled. Preferences are stored in a more compact format. Changes to site default preferences will automatically affect all users who have not chosen a different preference.
Support for SQLite was improved. Some broken features were fixed, and it now has an efficient full-text search.
The user groups ACL system was improved by allowing rights to be revoked, instead of just granted.
A new localisation caching system was introduced, which will make MediaWiki faster for almost everyone, especially when lots of extensions are enabled.
By default, this new system makes a lot of database queries. If your database is particularly slow, or if your system administrator limits your query count, or if you want to squeeze as much performance as possible out of Mediawiki, set $wgCacheDirectory to a writable path on the local filesystem. Make sure you have the DBA extension for PHP installed, this will improve performance further.
Reset maintainer.
Pullup ticket #3224 - requested by taca www/mediawiki: security update Revisions pulled up: - www/mediawiki/Makefile 1.13 - www/mediawiki/distinfo 1.9 - www/mediawiki/patches/patch-aa 1.1 --- Module Name: pkgsrc Committed By: taca Date: Thu Sep 16 14:52:02 UTC 2010 Modified Files: pkgsrc/www/mediawiki: Makefile distinfo Added Files: pkgsrc/www/mediawiki/patches: patch-aa Log Message: Update mediawiki to 1.15.5. == MediaWiki 1.15.5 == 2010-07-28 This is a security and maintenance release. MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia. Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
Update mediawiki to 1.15.5. == MediaWiki 1.15.5 == 2010-07-28 This is a security and maintenance release. MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia. Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
Pullup ticket #3130 - requested by martti www/mediawiki: security update Revisions pulled up: - www/mediawiki/Makefile 1.12 - www/mediawiki/distinfo 1.8 --- Module Name: pkgsrc Committed By: martti Date: Fri May 28 08:11:32 UTC 2010 Modified Files: pkgsrc/www/mediawiki: Makefile distinfo Log Message: Updated www/mediawiki to 1.15.4 This is a security and bugfix release of MediaWiki 1.15.4. Two security vulnerabilities were discovered. Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It affects Internet Explorer clients only. The issue is presumed to affect all recent versions of IE, it has been confirmed on IE 6 and 8. Noncompliant CSS parsing behaviour in Internet Explorer allows attackers to construct CSS strings which are treated as safe by previous versions of MediaWiki, but are decoded to unsafe strings by Internet Explorer. Full details can be found at: https://bugzilla.wikimedia.org/show_bug.cgi?id=23687 A CSRF vulnerability was discovered in our login interface. Although regular logins are protected as of 1.15.3, it was discovered that the account creation and password reset features were not protected from CSRF. This could lead to unauthorised access to private wikis. See https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details. These vulnerabilities are serious and all users are advised to upgrade. Remember that CSRF and XSS vulnerabilities can be used even against firewall-protected intranet installations, as long as the attacker can guess the URL.
Updated www/mediawiki to 1.15.4 This is a security and bugfix release of MediaWiki 1.15.4. Two security vulnerabilities were discovered. Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It affects Internet Explorer clients only. The issue is presumed to affect all recent versions of IE, it has been confirmed on IE 6 and 8. Noncompliant CSS parsing behaviour in Internet Explorer allows attackers to construct CSS strings which are treated as safe by previous versions of MediaWiki, but are decoded to unsafe strings by Internet Explorer. Full details can be found at: https://bugzilla.wikimedia.org/show_bug.cgi?id=23687 A CSRF vulnerability was discovered in our login interface. Although regular logins are protected as of 1.15.3, it was discovered that the account creation and password reset features were not protected from CSRF. This could lead to unauthorised access to private wikis. See https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details. These vulnerabilities are serious and all users are advised to upgrade. Remember that CSRF and XSS vulnerabilities can be used even against firewall-protected intranet installations, as long as the attacker can guess the URL.
Pullup ticket #3073 - requested by martti mediawiki: security update Revisions pulled up: - www/mediawiki/Makefile 1.11 - www/mediawiki/distinfo 1.7 --- Module Name: pkgsrc Committed By: martti Date: Wed Apr 7 05:40:11 UTC 2010 Modified Files: pkgsrc/www/mediawiki: Makefile distinfo Log Message: Updated www/mediawiki to 1.15.3 This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki 1.16.0beta2. MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password. Even without user scripting, this attack is a potential nuisance, and so all public wikis should be upgraded if possible. Our fix includes a breaking change to the API login action. Any clients using it will need to be updated. We apologise for making such a disruptive change in a minor release, but we feel that security is paramount. For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
Updated www/mediawiki to 1.15.3 This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki 1.16.0beta2. MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password. Even without user scripting, this attack is a potential nuisance, and so all public wikis should be upgraded if possible. Our fix includes a breaking change to the API login action. Any clients using it will need to be updated. We apologise for making such a disruptive change in a minor release, but we feel that security is paramount. For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
Pullup ticket #3046 - requested by martti mediawiki: security update Revisions pulled up: - www/mediawiki/Makefile 1.10 - www/mediawiki/distinfo 1.6 --- Module Name: pkgsrc Committed By: martti Date: Tue Mar 9 05:16:42 UTC 2010 Modified Files: pkgsrc/www/mediawiki: Makefile distinfo Log Message: Updated www/mediawiki to 1.15.2 Two security issues were discovered: A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected. Deleting thumb.php is a suitable workaround for private wikis which do not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl']. Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the patch below to whatever version of MediaWiki you are using.
Updated www/mediawiki to 1.15.2 Two security issues were discovered: A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected. Deleting thumb.php is a suitable workaround for private wikis which do not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl']. Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the patch below to whatever version of MediaWiki you are using.
Updated www/mediawiki to 1.15.1 Please read http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_0/phase3/RELEASE-NOTES http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-July/000087.html for details. Note: Version 1.13.5 did NOT have the XSS vulnerability...
Allow selection of mysql or pgsql options. Default unchanged at mysql
+PKG_DESTDIR_SUPPORT
Activated LICENSE=...
Pullup ticket #2707 - requested by martti mediawiki: bug fix update Revisions pulled up: - www/mediawiki/Makefile 1.5 - www/mediawiki/distinfo 1.4 --- Module Name: pkgsrc Committed By: martti Date: Sun Feb 22 11:58:57 UTC 2009 Modified Files: pkgsrc/www/mediawiki: Makefile distinfo Log Message: Updated www/mediawiki to 1.13.5 This is a maintenance release which corrects some bugs in the installer, introduced during the hasty security release of 1.13.4. It is not necessary to upgrade if you do not intend on using the installer.
Updated www/mediawiki to 1.13.5 This is a maintenance release which corrects some bugs in the installer, introduced during the hasty security release of 1.13.4. It is not necessary to upgrade if you do not intend on using the installer.
Pullup ticket #2690 - requested by martti mediawiki: security update Revisions pulled up: - www/mediawiki/Makefile 1.4 - www/mediawiki/PLIST 1.3 - www/mediawiki/distinfo 1.3 --- Module Name: pkgsrc Committed By: martti Date: Sat Feb 7 11:09:37 UTC 2009 Modified Files: pkgsrc/www/mediawiki: Makefile PLIST distinfo Log Message: Updated www/mediawiki to 1.13.4 A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated. Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service. If you are hosting an old copy of MediaWiki that you have never installed, we advise you to remove it from the web.
Updated www/mediawiki to 1.13.4 A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated. Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service. If you are hosting an old copy of MediaWiki that you have never installed, we advise you to remove it from the web.
Updated www/mediawiki to 1.13.3 This is a security release of MediaWiki 1.13.3. Some of the security issues affect *all* versions of MediaWiki except the versions released today, so all site administrators are encouraged to upgrade. http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
Set myself as the maintainer.
MediaWiki is free server-based software which is licensed under the GNU General Public License (GPL). It's designed to be run on a large server farm for a website that gets millions of hits per day. MediaWiki is an extremely powerful, scalable software and a feature-rich wiki implementation, that uses PHP to process and display data stored in its MySQL database.
Initial revision