CVS commit: [pkgsrc-2009Q4] pkgsrc/www/mediawiki

[Matthias Scheler <tron%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   tron
Date:           Wed Apr  7 10:21:11 UTC 2010

Modified Files:
        pkgsrc/www/mediawiki [pkgsrc-2009Q4]: Makefile distinfo

Log Message:
Pullup ticket #3073 - requested by martti
mediawiki: security update

Revisions pulled up:
- www/mediawiki/Makefile                1.11
- www/mediawiki/distinfo                1.7
---
Module Name:    pkgsrc
Committed By:   martti
Date:           Wed Apr  7 05:40:11 UTC 2010

Modified Files:
        pkgsrc/www/mediawiki: Makefile distinfo

Log Message:
Updated www/mediawiki to 1.15.3

This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.

MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.

Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.

Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.

For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076


To generate a diff of this commit:
cvs rdiff -u -r1.9.4.1 -r1.9.4.2 pkgsrc/www/mediawiki/Makefile
cvs rdiff -u -r1.5.4.1 -r1.5.4.2 pkgsrc/www/mediawiki/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.