diff -u mediawiki-1.11.2/debian/control mediawiki-1.11.2/debian/control
--- mediawiki-1.11.2/debian/control
+++ mediawiki-1.11.2/debian/control
@@ -1,7 +1,8 @@
 Source: mediawiki
 Section: web
 Priority: optional
-Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
 Uploaders: Romain Beauxis <toots@rastageeks.org>
 Build-Depends: debhelper (>= 4.2.0), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), ocaml-nox | ocaml, xsltproc, docbook-xml, docbook-xsl, po-debconf
 Homepage: http://www.mediawiki.org/
diff -u mediawiki-1.11.2/debian/changelog mediawiki-1.11.2/debian/changelog
--- mediawiki-1.11.2/debian/changelog
+++ mediawiki-1.11.2/debian/changelog
@@ -1,3 +1,18 @@
+mediawiki (1:1.11.2-2ubuntu0.1) hardy-security; urgency=low
+
+  * SECURITY UPDATE:
+     Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
+     and possibly other versions before 1.13.2 allows remote attackers
+     to inject arbitrary web script or HTML via the useskin parameter 
+     to an unspecified component. (LP: #290015)
+     - debian/patches/CVE-2008-4408.patch: Address XSS vulnerability. Based on
+       upstream/Debian patch.
+     - CVE-2008-4408
+     - http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=41540
+     - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501115
+
+ -- Iain Lane <laney@ubuntu.com>  Mon, 27 Oct 2008 20:17:44 +0000
+
 mediawiki (1:1.11.2-2) unstable; urgency=high
 
   * Added patch to fix pgsql select, thanks to Marc Dequènes
diff -u mediawiki-1.11.2/debian/control.in mediawiki-1.11.2/debian/control.in
--- mediawiki-1.11.2/debian/control.in
+++ mediawiki-1.11.2/debian/control.in
@@ -1,7 +1,8 @@
 Source: mediawiki
 Section: web
 Priority: optional
-Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
 Uploaders: Romain Beauxis <toots@rastageeks.org>
 Build-Depends: @cdbs@, ocaml-nox | ocaml, xsltproc, docbook-xml, docbook-xsl, po-debconf
 Homepage: http://www.mediawiki.org/
diff -u mediawiki-1.11.2/debian/patches/series mediawiki-1.11.2/debian/patches/series
--- mediawiki-1.11.2/debian/patches/series
+++ mediawiki-1.11.2/debian/patches/series
@@ -1,3 +1,4 @@
+CVE-2008-4408.patch
 texvc_location.patch
 mimetypes.patch
 debian_specific_config.patch
only in patch2:
unchanged:
--- mediawiki-1.11.2.orig/debian/patches/CVE-2008-4408.patch
+++ mediawiki-1.11.2/debian/patches/CVE-2008-4408.patch
@@ -0,0 +1,15 @@
+Index: mediawiki-1.11.2/includes/SkinTemplate.php
+===================================================================
+--- mediawiki-1.11.2.orig/includes/SkinTemplate.php	2008-10-27 19:28:32.777037783 +0000
++++ mediawiki-1.11.2/includes/SkinTemplate.php	2008-10-27 20:15:01.669033319 +0000
+@@ -979,9 +979,7 @@
+ 		# If we use the site's dynamic CSS, throw that in, too
+ 		if ( $wgUseSiteCss ) {
+ 			$query = "usemsgcache=yes&action=raw&ctype=text/css&smaxage=$wgSquidMaxage";
+-			$skinquery = '';
+-			if (($us = $wgRequest->getVal('useskin', '')) !== '')
+-				$skinquery = "&useskin=$us";
++			$skinquery = "&useskin=" . urlencode( $this->getSkinName() );
+ 			$sitecss .= '@import "' . self::makeNSUrl( 'Common.css', $query, NS_MEDIAWIKI) . '";' . "\n";
+ 			$sitecss .= '@import "' . self::makeNSUrl( ucfirst( $this->skinname ) . '.css', $query, NS_MEDIAWIKI ) . '";' . "\n";
+ 			$sitecss .= '@import "' . self::makeUrl( '-', "action=raw&gen=css$siteargs$skinquery" ) . '";' . "\n";