[evolvis-commits] r18312: Merge 1:1.15.5-2 from squeeze (testing-security) to fix CVE-2011-0003

mirabilos at evolvis.org mirabilos at evolvis.org
Wed Apr 11 11:16:31 CEST 2012


Author: mirabilos
Date: 2012-04-11 11:16:30 +0200 (Wed, 11 Apr 2012)
New Revision: 18312

Added:
   trunk/mediawiki/debian/patches/CVE-2011-0003.patch
Modified:
   trunk/mediawiki/debian/changelog
   trunk/mediawiki/debian/patches/series
Log:
Merge 1:1.15.5-2 from squeeze (testing-security) to fix CVE-2011-0003

Modified: trunk/mediawiki/debian/changelog
===================================================================
--- trunk/mediawiki/debian/changelog	2012-04-11 09:16:29 UTC (rev 18311)
+++ trunk/mediawiki/debian/changelog	2012-04-11 09:16:30 UTC (rev 18312)
@@ -1,4 +1,4 @@
-mediawiki (1:1.15.5-2) UNRELEASED; urgency=high
+mediawiki (1:1.15.5-3) UNRELEASED; urgency=low
 
   * debian/patches/fix_datetime.patch: new, convert argument into
     the format expected by other methods, fixes date/time output
@@ -6,6 +6,14 @@
 
  -- Thorsten Glaser <tg at mirbsd.de>  Tue, 07 Sep 2010 11:04:26 +0200
 
+mediawiki (1:1.15.5-2) testing-security; urgency=high
+
+  * CVE-2011-0003: Protect against clickjacking by sending the
+    X-Frame-Options header in all pages (except normal page views
+    and a few selected special pages). Patch as released by upstream
+
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk>  Tue, 04 Jan 2011 22:39:26 +0000
+
 mediawiki (1:1.15.5-1) unstable; urgency=high
 
   [ Thorsten Glaser ]

Added: trunk/mediawiki/debian/patches/CVE-2011-0003.patch
===================================================================
--- trunk/mediawiki/debian/patches/CVE-2011-0003.patch	                        (rev 0)
+++ trunk/mediawiki/debian/patches/CVE-2011-0003.patch	2012-04-11 09:16:30 UTC (rev 18312)
@@ -0,0 +1,28 @@
+Description: prevent ClickJacking by breaking out of iframes
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
+Author: Tim Starling
+Last-Update: 2011-01-04
+
+--- mediawiki-1.15.5.orig/config/index.php
++++ mediawiki-1.15.5/config/index.php
+@@ -21,6 +21,7 @@
+ 
+ error_reporting( E_ALL );
+ header( "Content-type: text/html; charset=utf-8" );
++header( 'X-Frame-Options: DENY' );
+ @ini_set( "display_errors", true );
+ 
+ # In case of errors, let output be clean.
+--- mediawiki-1.15.5.orig/includes/OutputPage.php
++++ mediawiki-1.15.5/includes/OutputPage.php
+@@ -957,6 +957,9 @@
+ 		$wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
+ 		$wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
+ 
++		# To prevent clickjacking, do not allow this page to be inside a frame.
++		$wgRequest->response()->header( 'X-Frame-Options: DENY' );
++
+ 		if ($this->mArticleBodyOnly) {
+ 			$this->out($this->mBodytext);
+ 		} else {

Modified: trunk/mediawiki/debian/patches/series
===================================================================
--- trunk/mediawiki/debian/patches/series	2012-04-11 09:16:29 UTC (rev 18311)
+++ trunk/mediawiki/debian/patches/series	2012-04-11 09:16:30 UTC (rev 18312)
@@ -5,4 +5,5 @@
 add_rss_guid.patch
 backup_documentation.patch
 suppress_warnings.patch
+CVE-2011-0003.patch
 fix_datetime.patch



More information about the evolvis-commits mailing list