Ubuntu
mediawiki package

  1. Bug #557159
  2. Comment #5

Comment 5 for bug 557159

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.15.1-1ubuntu2

---------------
mediawiki (1:1.15.1-1ubuntu2) lucid; urgency=low

  * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
    attacker who controls a user account on the target wiki can force the
    victim to login as the attacker, via a script on an external website.
    IMPORTANT: Fix includes a breaking change to the API login action. Any
    clients using it will need to be updated. (LP: #557159)
    - debian/patches/CSRF-no-CVE_rev-64680.patch
    - patch from upstream SVN rev. 64680
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
 -- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:46:10 +0200