diff options
| author | wen <wen@pkgsrc.org> | 2015-08-12 13:49:40 +0000 |
|---|---|---|
| committer | wen <wen@pkgsrc.org> | 2015-08-12 13:49:40 +0000 |
| commit | 4db0f2d0b175da6bd2718bb1b9a9201acff5a482 (patch) | |
| tree | 3b64b099c5ffce7953395630d4ea6502bdf46fcd /www/mediawiki/Makefile | |
| parent | 540881c015e4a3d8cfaf34ea588899507e3a4044 (diff) | |
| download | pkgsrc-4db0f2d0b175da6bd2718bb1b9a9201acff5a482.tar.gz | |
Update to 1.25.2
Upstream changes:
== Security fixes ==
* Internal review discovered that Special:DeletedContributions did not
properly
protect the IP of autoblocked users. This fix makes the functionality of
Special:DeletedContributions consistent with Special:Contributions and
Special:BlockList.
<https://phabricator.wikimedia.org/T106893>
* Internal review discovered that watchlist anti-csrf tokens were not being
compared in constant time, which could allow various timing attacks. This
could
allow an attacker to modify a user's watchlist via csrf.
<https://phabricator.wikimedia.org/T94116>
* John Menerick reported that MediaWiki's thumb.php failed to sanitize
various
error messages, resulting in xss.
<https://phabricator.wikimedia.org/T97391>
Additionally, the following extensions have been updated to fix security
issues:
* Extension:SemanticForms - MediaWiki user Grunny discovered multiple
reflected
xss vectors in SemanticForms. Further internal review discovered and fixed
other reflected and stored xss vectors.
<https://phabricator.wikimedia.org/T103391>
<https://phabricator.wikimedia.org/T103765>
<https://phabricator.wikimedia.org/T103761>
* Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal
review discovered that the contib directory for GeSHi was re-included in
MediaWiki 1.25. Some scripts could be potentially be used for DoS, and
DAU Huy Ngoc discovered an xss vector. All contrib scripts have been
removed.
<https://phabricator.wikimedia.org/T108198>
* Extension:TimedMediaHandler - User:McZusatz reported that resetting
transcodes deleted the transcode without creating a new one, which could be
used for vandalism or potentially DoS.
<https://phabricator.wikimedia.org/T100211>
* Extension:Quiz - Internal review discovered that Quiz did not properly
escape
regex metacharacters in a user controlled regular expression, enabling a DoS
vector.
<https://phabricator.wikimedia.org/T97083>
* Extension:Widgets - MediaWiki developer Majr reported a potential HTML
injection (xss) vector.
<https://phabricator.wikimedia.org/T88964>
== Bug Fixes in 1.25.2 ==
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
$wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
a "manifest_version" property for 1.26 compatability will no longer
trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
named variable. Add an additional check that an index is defined.
Diffstat (limited to 'www/mediawiki/Makefile')
| -rw-r--r-- | www/mediawiki/Makefile | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/www/mediawiki/Makefile b/www/mediawiki/Makefile index e7d923344f0..a6257a11580 100644 --- a/www/mediawiki/Makefile +++ b/www/mediawiki/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.53 2015/06/12 10:51:50 wiz Exp $ +# $NetBSD: Makefile,v 1.54 2015/08/12 13:49:40 wen Exp $ DISTNAME= mediawiki-${VER}.${PVER} -PKGREVISION= 1 CATEGORIES= www MASTER_SITES= http://releases.wikimedia.org/mediawiki/${VER}/ @@ -23,7 +22,7 @@ INSTALLATION_DIRS= ${EGDIR} share/mediawiki .include "options.mk" VER= 1.25 -PVER= 1 +PVER= 2 APACHE_USER?= www APACHE_GROUP?= www |