diff options
| author | tron <tron> | 2010-04-07 10:21:11 +0000 |
|---|---|---|
| committer | tron <tron> | 2010-04-07 10:21:11 +0000 |
| commit | 9aa1736e178759b958356bbd1a536024aab41f13 (patch) | |
| tree | 947860b8fc5c9cdd8f68d2b897906bb6a67133dc /biology/arka/DESCR | |
| parent | 91c5dd4c8f760dc45215af84e1ae944a02631b67 (diff) | |
| download | pkgsrc-9aa1736e178759b958356bbd1a536024aab41f13.tar.gz | |
Pullup ticket #3073 - requested by martti
mediawiki: security update
Revisions pulled up:
- www/mediawiki/Makefile 1.11
- www/mediawiki/distinfo 1.7
---
Module Name: pkgsrc
Committed By: martti
Date: Wed Apr 7 05:40:11 UTC 2010
Modified Files:
pkgsrc/www/mediawiki: Makefile distinfo
Log Message:
Updated www/mediawiki to 1.15.3
This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.
MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.
Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.
Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.
For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
Diffstat (limited to 'biology/arka/DESCR')
0 files changed, 0 insertions, 0 deletions