mahara-packaging team mailing list archive

[Clint Byrum <clint@xxxxxxxxxx>]

François, if you could in the future include URLs to the patches, it
would be much easier to reconcile them:

+Origin: upstream, commit:3b1dc78070988b68fa7a8495c19957d83c204d95

maps to:

http://gitorious.org/mahara/mahara/commit/3b1dc78070988b68fa7a8495c19957d83c204d95

+Origin: upstream, commit:fcee1996e56588f2f0f54f627d3b75e695b03e1b

maps to:

http://gitorious.org/mahara/mahara/commit/fcee1996e56588f2f0f54f627d3b75e695b03e1b

Which took a fair bit of investigation to figure out.

However, these look exactly clean, and the patches fix a security
vulnerability, so I see no reason to delay uploading them.

As Artur said, the url would be much more useful than just the commit
ID.

I've built with the debdiffs for lucid and maverick, and installed them.
I was able to perform the mahara install and browse the site. I didn't
try to reproduce the security vulnerabilities, as creating users and
sending emails from inside a chroot can be difficult, but the code fixes
are extremely straightforward and identical to the patches applied
upstream, so I'm confident the issue is resolved.

As such I've marked the Lucid and Maverick tasks as confirmed.

-- 
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/676336

Title:
  Blogs get deleted without sesskey check

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.3 series:
  Fix Released
Status in “mahara” package in Ubuntu:
  Fix Released
Status in “mahara” source package in Lucid:
  Confirmed
Status in “mahara” source package in Maverick:
  Confirmed
Status in “mahara” source package in Natty:
  Fix Released

Bug description:
  Permissions are checked but the sesskey is neither passed nor checked
  e.g. artefact/blog/index.php?delete=123