mahara-packaging team mailing list archive
-
mahara-packaging team
-
Mailing list archive
-
Message #00071
[Bug 888358] Re: Several security updates for Mahara
All of these patches come from the upstream developers (who are also the
Debian maintainers for the mahara package).
The 1.2 patches were made custom for Debian, the 1.4 ones were included
as part of the 1.4.1 release.
--
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/888358
Title:
Several security updates for Mahara
Status in “mahara” package in Ubuntu:
Confirmed
Status in “mahara” source package in Lucid:
Confirmed
Status in “mahara” source package in Maverick:
Confirmed
Status in “mahara” source package in Natty:
Confirmed
Status in “mahara” source package in Oneiric:
Confirmed
Status in “mahara” source package in Precise:
Confirmed
Bug description:
Here are patches to fix a number of very serious security issues in
lucid, maverick, natty and oneiric versions of Mahara.
Issues affecting both 1.2.x and 1.4.0 are:
* XSS in unvalidated URI attributes
- CVE-2011-2771
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4135
* DoS attack via invalid or excessively large images
- CVE-2011-2772
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4133
* XSRF allowing attackers to trick an admin into adding them to an institution
- CVE-2011-2773
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4137
* Prevent masquerading users from jumping via XMLRPC as others
- CVE pending from oss-sec list via debian security list
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4138
One issue affects the 1.4.0 version of Mahara in Oneiric:
* Information disclosure exposing private messages
- CVE-2011-2774
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4134
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/888358/+subscriptions
