mahara-contributors team mailing list archive

Thread
Date

[Bug 1889485] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1889485@xxxxxxxxxxxxxxxxxx>
Date: Mon, 03 Aug 2020 20:38:03 -0000
Reply-to: Bug 1889485 <1889485@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/11093
Committed: https://git.mahara.org/mahara/mahara/commit/7f97ceb72e4cf0caafaee2963a3ec2152b874137
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    master

commit 7f97ceb72e4cf0caafaee2963a3ec2152b874137
Author: Lisa Seeto <lisaseeto@xxxxxxxxxxxxxxx>
Date:   Thu Jul 30 11:39:35 2020 +1200

Bug 1889485: Security Upgrade SimpleSAML 1.18.4 to 1.18.7

- upgrade to version 1.18.7

Change-Id: I4e7ca4de32a4c69224c184013c15f92069cc97ff
Signed-off-by: Lisa Seeto <lisaseeto@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1889485

Title:
  Security Upgrade SimpleSAML 1.18.4 to 1.18.7

Status in Mahara:
  Confirmed
Status in Mahara 19.04 series:
  Confirmed
Status in Mahara 19.10 series:
  Confirmed
Status in Mahara 20.04 series:
  Confirmed
Status in Mahara 20.10 series:
  Confirmed

Bug description:
  From https://simplesamlphp.org/security/202004-01:

  Date
  April 03, 2020
  Affected versions
  SimpleSAMLphp 1.18.5 and older
  Severity
  Low

  Background

  The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser.
  Description

  The check to identify paths ending with .php does not account for uppercase letters. If someone requests a path ending with e.g. .PHP and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser.
  Affected versions

  SimpleSAMLphp versions 1.18.5 and older.

  We will upgrade to version 1.18.7

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1889485/+subscriptions

References

[Bug 1889485] [NEW] Security Upgrade SimpleSAML 1.18.4 to 1.18.7
From: Lisa Seeto, 2020-07-29