Romain Beauxis: Security update: Mediawiki 1.15.2-1
I have just uploaded a new vesion of the mediawiki package, namely 1.15.2-1. This version fixes two security issues. One of which is present in all versions of mediawiki and the other one since 1.5.
A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected.This package should make it to testing quite soon (priority is high). I have also uploaded a similar package in backports.org I have also prepared a security update for the stable package, based on the diff from the 1.15.2 release. Before it is uploaded, you can find it there. Please, report any issue with this package. Of course, I recommend that any user of mediawiki upgrade to one of these package as soon as possible... :-)