mahara-packaging team mailing list archive
-
mahara-packaging team
-
Mailing list archive
-
Message #00068
[Bug 888358] Re: Several security updates for Mahara
** Patch added: "debdiff for oneiric"
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/888358/+attachment/2591388/+files/oneiric.diff
** Visibility changed to: Public
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2771
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2772
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2773
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2774
--
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/888358
Title:
Several security updates for Mahara
Status in “mahara” package in Ubuntu:
New
Bug description:
Here are patches to fix a number of very serious security issues in
lucid, maverick, natty and oneiric versions of Mahara.
Issues affecting both 1.2.x and 1.4.0 are:
* XSS in unvalidated URI attributes
- CVE-2011-2771
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4135
* DoS attack via invalid or excessively large images
- CVE-2011-2772
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4133
* XSRF allowing attackers to trick an admin into adding them to an institution
- CVE-2011-2773
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4137
* Prevent masquerading users from jumping via XMLRPC as others
- CVE pending from oss-sec list via debian security list
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4138
One issue affects the 1.4.0 version of Mahara in Oneiric:
* Information disclosure exposing private messages
- CVE-2011-2774
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4134
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/888358/+subscriptions
