mahara-packaging team mailing list archive

Thread
Date

[Bug 340863] Re: CVE-2009-0660 Multiple XSS vulnerabilities in Mahara 1.0.9

To: mahara-packaging@xxxxxxxxxxxxxxxxxxx
From: Alex Valavanis <valavanisalex@xxxxxxxxxxxxxx>
Date: Sat, 08 May 2010 08:26:03 -0000
Reply-to: Bug 340863 <340863@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report.  The bug has been fixed in newer releases of Ubuntu.

** Changed in: mahara (Ubuntu Intrepid)
       Status: New => Invalid

-- 
CVE-2009-0660 Multiple XSS vulnerabilities in Mahara 1.0.9
https://bugs.launchpad.net/bugs/340863
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in ubuntu.

Status in “mahara” package in Ubuntu: Fix Released
Status in “mahara” source package in Intrepid: Invalid
Status in “mahara” source package in Jaunty: Fix Released

Bug description:
Binary package hint: mahara

The latest version of Mahara 1.0.x (1.0.10) fixes a number of XSS bugs in user profile data and blogs.

This is the official Mahara security advisory: http://mahara.org/interaction/forum/topic.php?id=350

The CVE issue itself doesn't appear to be public yet, but I have attached the patch I sent over to vendor-sec.

Given that Mahara 1.0.10 doesn't bring new features, only bug fixes, I would recommend that Ubuntu simply upgrade to that version for Jaunty. Otherwise I can prepare a patched 1.0.9-1+ubuntu1 package.