mediawiki (1:1.19.20+dfsg-0+deb7u3) wheezy-security; urgency=medium

  * CVE-2014-9277: Fix regression introduced by previous patch.
  * Add patch fixing T76686: thumb.php outputs wikitext message as raw
    HTML, which could lead to xss. Permission to edit MediaWiki namespace
    is required to exploit this.

 -- Sebastien Delafond <seb@debian.org>  Sun, 21 Dec 2014 13:03:27 +0100

mediawiki (1:1.19.20+dfsg-0+deb7u2) wheezy-security; urgency=medium

  * Non-maintainer upload by the Security Team.
  * CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
    poses a potentially severe security problem for API clients written in
    PHP, in that format=php is affected.

 -- Sebastien Delafond <seb@debian.org>  Wed, 10 Dec 2014 23:26:48 +0100

mediawiki (1:1.19.20+dfsg-0+deb7u1) wheezy-security; urgency=high

  * New upstream security release:
    - CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove
      separation of css and js module allowance.

 -- Thorsten Glaser <tg@mirbsd.de>  Thu, 02 Oct 2014 10:57:16 +0200

mediawiki (1:1.19.19+dfsg-0+deb7u1) wheezy-security; urgency=medium

  * Remove Romain Beauxis’ bouncing eMail address
  * Acknowledge NMU (1:1.19.18+dfsg-0+deb7u1) – thanks!
  * New upstream security and maintenance release:
    - (bug 69008) SECURITY: Enhance CSS filtering in SVG files.
      Filter <style> elements; normalize style elements and
      attributes before filtering; add checks for attributes that
      contain css; add unit tests for html5sec and reported bugs.

 -- Thorsten Glaser <tg@mirbsd.de>  Thu, 25 Sep 2014 16:48:28 +0200

mediawiki (1:1.19.18+dfsg-0+deb7u1) wheezy-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Imported Upstream version 1.19.18+dfsg
    (Closes: #752622, #758510)
    - CVE-2014-5241 (bug 68187) SECURITY: Prepend jsonp callback with comment.
    - CVE-2014-5243 (bug 65778) SECURITY: Copy prevent-clickjacking between
      OutputPage and ParserOutput.

 -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 19 Aug 2014 06:47:09 +0200

mediawiki (1:1.19.17+dfsg-0+deb7u1) wheezy-security; urgency=medium

  * New upstream security and maintenance release:
    - (bug 65839) SECURITY: Prevent external resources in SVG files.
    - (bug 66428) MimeMagic: Don't seek before BOF. This has weird
      side effects like only extracting the tail of the file partially
      or not at all.

 -- Thorsten Glaser <tg@mirbsd.de>  Mon, 30 Jun 2014 09:34:32 +0200

mediawiki (1:1.19.16+dfsg-0+deb7u1) wheezy-security; urgency=medium

  * New upstream security and maintenance release:
    - CVE-2014-3966 (bug 65501) SECURITY: Don't parse usernames as
      wikitext on Special:PasswordReset.
  * Update debian/upstream/signing-key.asc
  * Conflicts: mediawiki-classes (Closes: #748941)

 -- Thorsten Glaser <tg@mirbsd.de>  Wed, 11 Jun 2014 16:42:23 +0200

mediawiki (1:1.19.15+dfsg-0+deb7u1) wheezy-security; urgency=medium

  * New upstream security and maintenance release:
    - Fixed resetting passwords
    - (bug 58640) Fixed compatibility issue with PCRE 8.34 that
      caused pages to appear blank or with missing text

 -- Thorsten Glaser <tg@mirbsd.de>  Thu, 03 Apr 2014 10:27:07 +0200

mediawiki (1:1.19.14+dfsg-0+deb7u2) wheezy-security; urgency=high

  * “Oops…” release (Closes: #743165)
  * Remove two lines from d/rules that slipped in despite review
    left over from the package split in jessie/sid which should
    not have gone in here

 -- Thorsten Glaser <tg@mirbsd.de>  Mon, 31 Mar 2014 09:24:23 +0200

mediawiki (1:1.19.14+dfsg-0+deb7u1) wheezy-security; urgency=high

  * New upstream security fix release (Closes: #742857):
    - (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword
    - (bug 62467) Set a title for the context during import on the cli
    - (bug 61362) Don't find links in the middle of api.php links
    - (bug 60771) disallow iframe and unusual namespaces in SVG
    - (bug 61346) make token comparison use constant time
  * Fix bugs (file permissions; superfluous COPYING files) lintian
    pointed out (backported from sid)
  * Backport debian/rules get-orig-source-*, debian/upstream/signing-key.asc
    and debian/watch changes from sid, to prepare for sid (or experimental)
    switching to MediaWiki 1.23 (in which case further updates for stable
    will need to be made using this SVN branch)

 -- Thorsten Glaser <tg@mirbsd.de>  Fri, 28 Mar 2014 10:36:48 +0100

mediawiki (1:1.19.11+dfsg-0+deb7u1) wheezy-security; urgency=high

  [ Thorsten Glaser ]
  * New upstream security fix release (Closes: #729629, #706601):
    - CVE-2014-1610 (bug 60339) remote code exec in Djvu thumbnailer
    - CVE-2013-4568 (bug 58088) Don't normalize U+FF3C to \ in CSS Checks
    - CVE-2013-6452 (bug 57550) Disallow stylesheets in SVG Uploads
    - CVE-2013-6453 (bug 58553) Return error on invalid XML for SVG Uploads
    - CVE-2013-6454 (bug 58472) Disallow -o-link in styles
    - CVE-2013-6472 (bug 58699) Fix RevDel log entry information leaks
    - CVE-2013-4572 (bug 53032) Don't cache when a call could autocreate
    - CVE-2013-4567 (bug 55332) Vertical tab allows bypassing filters
    - CVE-2013-4568 (bug 55332) "expression" filtering in IE6 bypass
    - SVG script filtering could be bypassed for Chrome and Firefox
      clients by using an encoding that MediaWiki understood, but these
      browsers interpreted as UTF-8. (CVE-2013-2031)
    - Internal review discovered that extensions were not given the
      opportunity to disable a password reset, which could lead to
      circumvention of two-factor authentication (CVE-2013-2032)
    - (and others)
  * Replace trademarked image files by self-drawn Free ones
  * Secure the default images directory (Closes: #716884)
  * Handle /var/lib/mediawiki/extensions/* always as symlinks, for
    both core and extra extensions, with upgrade path (Closes: #719208)
  * Ship files in /etc/mediawiki-extensions/extensions-available/
    for extensions shipped with the mediawiki core
  * Change watch file to track upstream LTS version
  * debian/control: Change VCS-* URLs (unbreak; point to stable)
  * Update copyright file with things noted by Paul Tagliamonte, thanks!
  * Refresh one patch to make it apply cleanly against 1.19.11

  [ Florian Weimer ]
  * Add “Replaces: mediawiki-extensions-confirmedit”

 -- Thorsten Glaser <tg@mirbsd.de>  Mon, 10 Feb 2014 13:07:38 +0100

mediawiki (1:1.19.5-1+deb7u1) stable-security; urgency=low

  * CVE-2013-4302: apply patch from upstream to prevent
    access to anti-CSRF tokens via JSONP

 -- Jonathan Wiltshire <jmw@debian.org>  Sun, 08 Sep 2013 19:40:24 +0100

mediawiki (1:1.19.5-1) unstable; urgency=high

  [ Platonides ]
  * Update config URL in README.Debian (Closes: #703804)

  [ Thorsten Glaser ]
  * Re-add LocalSettings creation snippet for support of the
    mediawiki-extensions Debian packaging (Closes: #703852)
  * New upstream security-only release:
    - (bug 47251) SECURITY: Disable external entities in Import
    - (bug 46859) SECURITY: Disable external entities in XMLReader
    - (bug 46084) SECURITY: Sanitize $limitReport before outputting
    - (bug 43594) Fix notices displayed on PHP 5.4
    - (bug 40585) Don't drop 'step="any"' in HTML input fields.
  * Refresh patches against new upstream code

 -- Thorsten Glaser <tg@mirbsd.de>  Tue, 16 Apr 2013 11:04:05 +0200

mediawiki (1:1.19.4-1) unstable; urgency=high

  * Urgency high for security fix
  * New upstream release:
    - New preference type - 'api'. Preferences of this type are not shown
      on Special:Preferences, but are still available via the
      action=options API.
    - (bug 44010) Context is passed to UserGetLanguageObject.
    - The recursion guard on RequestContext::getLanguage() was weakened.
    - (bug 44135/bug 42441) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST
    - (bug 43518) API action=unblock should return the user name, not the
      full user object (Closes: #702305)
    - Increase timeout values for some tests

 -- Jonathan Wiltshire <jmw@debian.org>  Mon, 04 Mar 2013 23:06:30 +0000

mediawiki (1:1.19.3-2) unstable; urgency=low

  * Add missing changelog entries to 1:1.19.3-1 upload (oops…)
  * Upstream patch to fix XHTML issue in Special:Upload (BZ#40889)
  * Upstream patch to fix another MySQLism (BZ#39635) (Closes: #700595)
  * Update lintian overrides

 -- Thorsten Glaser <tg@mirbsd.de>  Mon, 18 Feb 2013 10:24:08 +0100

mediawiki (1:1.19.3-1) unstable; urgency=high

  [ Thorsten Glaser ]
  * Note: these changes were part of this upload, even though
    they were not detailed in this changelog entry when uploading:
  * <img> tags must always have an alt attribute
  * fix DB upgrade FUBAR issue for PostgreSQL (BZ#29635)
  * allow MySQL users to choose either PHP5 client library (Closes: #689758)

  [ Dominik George ]
  * Team upload
  * New upstream version fixes security issues (Closes: #694998)
    + Prevent session fixation in Special:UserLogin (CVE-2012-5391)
      https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
    + Prevent linker regex from exceeding PCRE backtrack limit
      https://bugzilla.wikimedia.org/show_bug.cgi?id=41400

  [ Thorsten Glaser ]
  * Fix spelling error in README.Debian (thanks lintian!)

 -- Dominik George <nik@naturalnet.de>  Wed, 12 Dec 2012 09:44:08 +0100

mediawiki (1:1.19.2-2) unstable; urgency=low

  * debian/watch: mangle the epoch away so DDPO is green again
  * Break mw-ext-fckeditor, it doesn’t work with 1.19 (Closes: #689375)

 -- Thorsten Glaser <tg@mirbsd.de>  Tue, 02 Oct 2012 14:09:42 +0200

mediawiki (1:1.19.2-1) unstable; urgency=low

  [ Thorsten Glaser ]
  * New upstream: security fixes for CVE-2012-4377, CVE-2012-4378,
    CVE-2012-4379, CVE-2012-4380, CVE-2012-4381, CVE-2012-4382
    (Closes: #686330)
  * Prevent <table></table> without any <tr /> inside, globally
  * Fix more cases of not checking $wgHtml5
  * MW’s ID (XML) sanitiser is there for a reason, use it!
  * Prevent <ul></ul> without any <li /> inside in MonoBook
  * Fix invalid XHTML caused by code not honouring $wgHtml5
  * Quell some PHP warnings from sloppy code
  * Do the wfSuppressWarnings patch used with FusionForge right
  * Add myself to Uploaders and quieten lintian a bit
  * Do not replace patched jquery-tablesorter with unpatched one;
    unbreaks sortable tables (Closes: #687519)
  * Update versioned Breaks against fusionforge and mw-extensions

  [ Jonathan Wiltshire ]
  * Add Recommends on mediawiki-extensions-base and php-wikidiff2

 -- Thorsten Glaser <tg@mirbsd.de>  Thu, 20 Sep 2012 13:40:12 +0200

mediawiki (1:1.19.1-1) unstable; urgency=low

  * New upstream bug fix release
    Closes: #672818, 677895 (CVE-2012-2698)
    - debian/rules: remove all .gitignore files too, since upstream
      switched to git VCS
  * Remove last traces of mediaiki-math binary package
  * Remove CDBS logic and dependencies and use dh
    auto-sequencer instead
  * Depend on debhelper >=9 and use compat level 9; this
    stops dh_pysupport adding files to the build
  * Do not run update debconf translations on clean
  * Disable patch texvc_location.patch; this really belongs in mediawiki-math
    now and especially considering <1632437115.20120612191230@gmail.com>
  * Add a versioned Breaks on fusionforge-plugin-mediawiki
  * Upload to unstable

 -- Jonathan Wiltshire <jmw@debian.org>  Mon, 18 Jun 2012 15:25:25 +0100

mediawiki (1:1.19.0-1) experimental; urgency=low

  * New upstream release
  * Standards version 3.9.3 (no changes)
  * Update debian/NEWS version

 -- Jonathan Wiltshire <jmw@debian.org>  Mon, 04 Jun 2012 20:14:14 +0100

mediawiki (1:1.18.1-1) experimental; urgency=low

  * New upstream release (Closes: #613791, #619159, #550940, #460831)
  * Remove patches integrated upstream in this version
  * Standards version 3.9.2
  * Drop mediawiki-math binary package, it is no longer shipped upstream
  * Add sqlite3 to Recommends (Closes: #612212)
  * Use system copies of javascript libraries where available
  * Document upgrade procedure in debian/NEWS
  * Debconf translation to Danish (Closes: #627848)

 -- Jonathan Wiltshire <jmw@debian.org>  Sun, 15 Jan 2012 00:10:18 +0000

mediawiki (1:1.15.5-10) unstable; urgency=low

  * Team upload.
  * Apply SQL fix for schema search paths by Roland Mas (#673125)

 -- Thorsten Glaser <tg@mirbsd.de>  Wed, 30 May 2012 16:50:36 +0200

mediawiki (1:1.15.5-9) unstable; urgency=high

  * Team upload.
  * Address MW security release 1.18.1-1 (Closes: #666269)
    - CVE-2012-1578 MW#34212: doesn’t affect 1.15
    - CVE-2012-1579 MW#34907: doesn’t affect 1.15
    - CVE-2012-1580 MW#35317: doesn’t affect 1.15
    - CVE-2012-1581 MW#35078: fix backported
    - CVE-2012-1582 MW#35315: fix backported
  * Apply some lintian cleanup

 -- Thorsten Glaser <tg@mirbsd.de>  Wed, 16 May 2012 15:01:06 +0200

mediawiki (1:1.15.5-8) unstable; urgency=low

  * Fix reversing IPv4 address for SORBS blacklist; patch from
    Nye Liu <nyet@nyet.org> (Closes: #658672)
  * Backport a method called by CVE-2011-1580.patch (Closes: #658682)
  * Fix warnings issued by PHP 5.4 (Closes: #661682)
  * Suggest librsvg-bin (Closes: #644731)
  * Demote database server to Suggests (Closes: #617561)
  * Add dansk translation (Closes: #627848)

 -- Thorsten Glaser <tg@mirbsd.de>  Thu, 15 Mar 2012 12:52:09 +0100

mediawiki (1:1.15.5-7) unstable; urgency=high

  * debian/patches/CVE-2011-4360.patch: remove – the information
    disclosure does not happen on 1.15 and the patch would not
    work anyway because the OutputPage object has no setTitle
    method (this prevents a PHP fatal error when someone has no
    permissions, instead reverting to the pre-1:1.15.5-4 behaviour
    of showing a page asking the user to log in)

 -- Thorsten Glaser <tg@mirbsd.de>  Fri, 20 Jan 2012 17:13:28 +0100

mediawiki (1:1.15.5-6) unstable; urgency=low

  [ Thorsten Glaser ]
  * debian/patches/khtml_not_ff9.patch: new (Closes: #652948)

  [ Jonathan Wiltshire ]
  * debian/patches/CVE-2012-0046.patch: security fix for unintended exposure
    of hidden content through cache pollution, CVE-2012-0046 (Closes: #655694)

 -- Jonathan Wiltshire <jmw@debian.org>  Fri, 13 Jan 2012 09:54:41 +0000

mediawiki (1:1.15.5-5) unstable; urgency=high

  * Security fixes from upstream:
    CVE-2011-1578 - XSS for IE <= 6
    CVE-2011-1579 - CSS validation error in wikitext parser
    CVE-2011-1580 - access control checks on transwiki import feature
    CVE-2011-1587 - fix incomplete patch for CVE-2011-1578

 -- Jonathan Wiltshire <jmw@debian.org>  Sun, 18 Dec 2011 23:48:18 +0000

mediawiki (1:1.15.5-4) unstable; urgency=low

  [ Thorsten Glaser ]
  * debian/patches/fix_invalid_sql.patch: new (Closes: #615983)

  [ Jonathan Wiltshire ]
  * Security fixes from upstream (Closes: #650434):
    CVE-2011-4360 - page titles on private wikis could be exposed
    bypassing different page ids to index.php
    CVE-2011-4361 - action=ajax requests were dispatched to the
    relevant function without any read permission checks being done

 -- Jonathan Wiltshire <jmw@debian.org>  Wed, 30 Nov 2011 22:42:52 +0000

mediawiki (1:1.15.5-3) unstable; urgency=high

  [ Thorsten Glaser ]
  * debian/patches/fix_datetime.patch: new, convert argument into
    the format expected by other methods, fixes date/time output
    in e.g. the News/RSS extensions

  [ Jonathan Wiltshire ]
  * CVE-2011-0047: Protect against a CSS injection vulnerability
    (closes: #611787)
  * Update my email address

 -- Jonathan Wiltshire <jmw@debian.org>  Sun, 06 Feb 2011 15:53:48 +0000

mediawiki (1:1.15.5-2) testing-security; urgency=high

  * CVE-2011-0003: Protect against clickjacking by sending the
    X-Frame-Options header in all pages (except normal page views
    and a few selected special pages). Patch as released by upstream

 -- Jonathan Wiltshire <debian@jwiltshire.org.uk>  Tue, 04 Jan 2011 22:39:26 +0000

mediawiki (1:1.15.5-1) unstable; urgency=high

  [ Thorsten Glaser ]
  * debian/patches/suppress_warnings.patch: new, suppress warnings
    about session_start() being called twice also in the PHP error
    log, not just MediaWiki’s, for example run from FusionForge

  [ Jonathan Wiltshire ]
  * New upstream security release:
    - correctly set caching headers to prevent private data leakage
         (closes: #590660, LP: #610782)
    - fix XSS vulnerability in profileinfo.php
         (closes: #590669, LP: #610819)

 -- Jonathan Wiltshire <debian@jwiltshire.org.uk>  Wed, 28 Jul 2010 12:23:04 +0100

mediawiki (1:1.15.4-2) unstable; urgency=low

  [ Thorsten Glaser ]
  * debian/control: add Vcs-SVN and Vcs-Browser

  [ Jonathan Wiltshire ]
  * debian/source/format: Switch to source format 3.0 (quilt)
  * debian/rules: Drop CDBS quilt logic
  * debian_specific_config.patch: Don't just redefine MW_INSTALL_PATH,
    remove the original definition (LP: #406358)
  * debian/README.source: document use of quilt and format 3.0 (quilt)
  * New patch backup_documentation.patch improves documentation of
    maintenance/dumpBackup.php (closes: #572355)
  * Standards version 3.9.0 (no changes)

 -- Jonathan Wiltshire <debian@jwiltshire.org.uk>  Tue, 29 Jun 2010 14:20:35 +0100

mediawiki (1:1.15.4-1) unstable; urgency=high

  [ Jonathan Wiltshire ]
  * New upstream security release (closes: #585918).
  * CVE-2010-1647:
    Fix a cross-site scripting (XSS) vulnerability which allows
    remote attackers to inject arbitrary web script or HTML via crafted
    Cascading Style Sheets (CSS) strings that are processed as script by
    Internet Explorer.
  * CVE-2010-1648:
    Fix a cross-site request forgery (CSRF) vulnerability in the login interface
    which allows remote attackers to hijack the authentication of users for
    requests that (1) create accounts or (2) reset passwords, related to the
    Special:Userlogin form.

  [ Romain Beauxis ]
  * Put debian's package version in declared version.
    Should help sysadmins to keep track of installed
    versions, in particular with regard to security
    updates.
  * Added Jonathan Wiltshire to uploaders.
  * Do not clan math dir if it does not exist (for instance
    when running clean from SVN).

 -- Romain Beauxis <toots@rastageeks.org>  Mon, 21 Jun 2010 23:41:29 +0200

mediawiki (1:1.15.3-1) unstable; urgency=high

  * New upstream release.
  * Fixes security issue:
  "MediaWiki was found to be vulnerable to login CSRF. An attacker who
   controls a user account on the target wiki can force the victim to log
   in as the attacker, via a script on an external website. If the wiki is
   configured to allow user scripts, say with "$wgAllowUserJs = true" in
   LocalSettings.php, then the attacker can proceed to mount a
  phishing-style attack against the victim to obtain their password."

 -- Romain Beauxis <toots@rastageeks.org>  Fri, 16 Apr 2010 14:44:09 -0500

mediawiki (1:1.15.2-1) unstable; urgency=high

  * New upstream release.
  * Fixes security issue:
  "Two security issues were discovered:

   A CSS validation issue was discovered which allows editors to display
   external images in wiki pages. This is a privacy concern on public
   wikis, since a malicious user may link to an image on a server they
   control, which would allow that attacker to gather IP addresses and
   other information from users of the public wiki. All sites running
   publicly-editable MediaWiki installations are advised to upgrade. All
   versions of MediaWiki (prior to this one) are affected.

   A data leakage vulnerability was discovered in thumb.php which affects
   wikis which restrict access to private files using img_auth.php, or
   some similar scheme. All versions of MediaWiki since 1.5 are affected."
  * Updated standards.
  * Removed section about upgrading from mediawiki1.x packages
    in README.Debian since they do not exist in any supported distribution
    anymore.
  * Switched php5-gd and imagemagick in Suggests. Closes: #542008
  * Backported patch from revision 51083 to fix a bug with invalid titles.
  Closes: #537134
  * Backported patch from revision 61090 to add a unique guid per RSS
    feed element.
  Closes: #383130
  * Refreshed patches.

 -- Romain Beauxis <toots@rastageeks.org>  Mon, 15 Mar 2010 11:41:07 -0500

mediawiki (1:1.15.1-1) unstable; urgency=low

  * New upstream release.
  * Ack previous NMU, thanks to Nico Golde for taking care
    of this.

 -- Romain Beauxis <toots@rastageeks.org>  Sun, 09 Aug 2009 10:46:41 -0500

mediawiki (1:1.15.0-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix cross-site scripting in [[Special:Block]]
    (No CVE id yet; XSS-no-CVE.patch; Closes: #537634).

 -- Nico Golde <nion@debian.org>  Sun, 26 Jul 2009 18:11:07 +0200

mediawiki (1:1.15.0-1) unstable; urgency=low

  * New upstream release.
  * Upstream added support for OASIS documents.
  Closes: #530328
  * Refreshed quilt patches
  * Bumped standards versions to 3.8.2
  * Bumped compat to 7
  * Pointed to GPL-2 in debian/copyright
  * Added php5-sqlite to possible DB backend dependencies.
  Closes: #501569
  * Proofread README.Debian, upgrade is documented there.
  Closes: #520121

 -- Romain Beauxis <toots@rastageeks.org>  Fri, 19 Jun 2009 01:38:50 +0200

mediawiki (1:1.14.0-1) unstable; urgency=low

  * New upstream release.
  * Fixed issues in the installer:
  "A number of cross-site scripting (XSS) security vulnerabilities were
   discovered in the web-based installer (config/index.php).
   These vulnerabilities all require a live installer once the installer
   has been used to install a wiki, it is deactivated.

   Note that cross-site scripting vulnerabilities can be used to attack
   any website in the same cookie domain. So if you have an uninstalled
   copy of MediaWiki on the same site as an active web service, MediaWiki
   could be used to attack the active service."
  Closes: #514547
  * Fixed typo in README.Debian
  Closes: #515192
  * Updated japanese debconf translation, thanks to Hideki Yamane
  Closes: #510896
  * Added a file in debian/copyright

 -- Romain Beauxis <toots@rastageeks.org>  Fri, 06 Mar 2009 20:29:17 +0100

mediawiki (1:1.13.3-1) unstable; urgency=low

  * New upstream release.
  * Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
  "An XSS vulnerability affecting all MediaWiki installations between
   1.13.0 and 1.13.2."
  Closes: #508868
  * Fix CVE-2008-5250: several local script injection vulnerabilities
    in MediaWiki:
  "o A local script injection vulnerability affecting Internet Explorer
     clients for all MediaWiki installations with uploads enabled.
   o A local script injection vulnerability affecting clients with SVG
     scripting capability (such as Firefox 1.5+), for all MediaWiki
     installations with SVG uploads enabled."
  Closes: #508869
  * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
    feature in MediaWiki:
  "A CSRF vulnerability affecting the Special:Import feature, for all
   MediaWiki installations since the feature was introduced in 1.3.0."
  Closes: #508870

 -- Romain Beauxis <toots@rastageeks.org>  Thu, 18 Dec 2008 02:37:58 +0100

mediawiki (1:1.13.2-1) unstable; urgency=low

  * New upstream release
  * Fix CVE-2008-4408: XSS in mediawiki:
    "Cross-site scripting (XSS) vulnerability allows remote attackers
     to inject arbitrary web script or HTML via the useskin parameter
     to an unspecified component."
  Closes: #501115

 -- Romain Beauxis <toots@rastageeks.org>  Sat, 11 Oct 2008 15:02:39 +0200

mediawiki (1:1.13.0-2) unstable; urgency=low

  * Removed buggy postgresql patch
  Closes: #497042

 -- Romain Beauxis <toots@rastageeks.org>  Sat, 30 Aug 2008 14:06:47 +0200

mediawiki (1:1.13.0-1) unstable; urgency=low

  * New upstream release
  * Fixed watch file. Closes: #490009
  * Refreshed patches
  * Bumped standard-version to 3.8.0
  * Fixed latex-related dependencies in mediawiki-math
  * Removed obsolete linda override, thanks lintian !

 -- Romain Beauxis <toots@rastageeks.org>  Sun, 17 Aug 2008 11:01:43 +0200

mediawiki (1:1.12.0-2) unstable; urgency=low

  * Fixed postgresql dependency
  Closes: #472987
  * Added instructions to install and upgrade
  Closes: #472990, #472831

 -- Romain Beauxis <toots@rastageeks.org>  Mon, 24 Mar 2008 02:49:15 +0100

mediawiki (1:1.12.0-1) unstable; urgency=low

  * New upstream release
  * Updated patch for postfix support: dropped what
    has been implemented upstream
  * Refreshed other patches, thanks to quilt
  * Changed postgresql recommends to "postgresql" package
  Closes: #469582

 -- Romain Beauxis <toots@rastageeks.org>  Mon, 24 Mar 2008 02:20:12 +0100

mediawiki (1:1.11.2-2) unstable; urgency=high

  * Added patch to fix pgsql select, thanks to Marc Dequènes
  Closes: #469841
  * Upated README.Debian to mention php5-gd instead of php5-gd2
  and texlive-latex-base instead to tetex-bin.
  Closes: #469558
  * still setting urgency to high since previous upload didn't make it
  to testing.

 -- Romain Beauxis <toots@rastageeks.org>  Mon, 03 Mar 2008 13:58:57 +0100

mediawiki (1:1.11.2-1) unstable; urgency=high

  * New upstream release
  * Security fix:
      "Possible cross-site information leaks using the callback
       parameter for JSON-formatted results in the API are prevented by
       dropping user credentials."
  * Added informations on LocalSettings.php in README.Debian
  Closes: #462609

 -- Romain Beauxis <toots@rastageeks.org>  Mon, 03 Mar 2008 13:16:27 +0100

mediawiki (1:1.11.1-1) unstable; urgency=high

  * New upstream release
  * A potential XSS injection vector affecting
    Microsoft Internet Explorer users has been
    closed.

 -- Romain Beauxis <toots@rastageeks.org>  Sat, 26 Jan 2008 02:57:53 +0100

mediawiki (1:1.11.0-4) unstable; urgency=low

  * Really add the patch for #459312
  * Added also patch to fix #459617
    Closes: #459617
  * Merged two previous patches

 -- Romain Beauxis <toots@rastageeks.org>  Fri, 18 Jan 2008 16:14:59 +0100

mediawiki (1:1.11.0-3) unstable; urgency=low

  * Really remove debian specific scripts
  * Backported patch to fix unserialize with postgre
    Closes: #459312
  * Added finnish translation of the debconf templates, thanks to Esko
    Arajärvi. Closes: #456983
  * Updated standards to 3.7.3 (no changes)

 -- Romain Beauxis <toots@rastageeks.org>  Mon, 07 Jan 2008 15:03:15 +0100

mediawiki (1:1.11.0-2) unstable; urgency=low

  * Initial upload of 1.11.0 to unstable

 -- Romain Beauxis <toots@rastageeks.org>  Sat, 03 Nov 2007 16:39:47 +0100

mediawiki (1:1.11.0-1) experimental; urgency=low

  * Removed mediawikiX versioned packages
  * Updated to mediawiki 1.11
  * Removed automatic upgrade script
  * Updated README.Debian (Closes: #442311, #442302)
  * Changed default upload directory (Closes: #444445)

 -- Romain Beauxis <toots@rastageeks.org>  Sun, 21 Oct 2007 20:54:00 +0200

mediawiki (1:1.10) unstable; urgency=low

  * Switched to mediawiki1.10
  * Mediawiki1.10 recommends mediawiki-math (Closes: #428021)

 -- Romain Beauxis <toots@rastageeks.org>  Tue, 10 Jul 2007 19:29:01 +0200

mediawiki (1:1.9) unstable; urgency=low

  * Switched to mediawiki1.9, closes: #392932
  * Corrected typo in control, closes: #414121
  * Seperated -math extension to a single package, closes: #401714

 -- Romain Beauxis <toots@rastageeks.org>  Thu, 12 Apr 2007 17:02:05 +0200

mediawiki (1:1.7) unstable; urgency=low

  * Initial Release

 -- Romain Beauxis <toots@rastageeks.org>  Mon,  6 Nov 2006 15:36:44 +0100
