mahara-packaging team mailing list archive
-
mahara-packaging team
-
Mailing list archive
-
Message #00076
[Bug 888358] Re: Several security updates for Mahara
I've uploaded new patches with the requested alterations to
debian/control and debian/changelog.
Did francois' comment above regarding Debian maintenance contain
sufficient information regarding your query about the DEP-5 headers?
Is there anything else specific we need to do to get this reviewed and
sponsored by the security team?
Thanks,
Melissa.
--
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/888358
Title:
Several security updates for Mahara
Status in “mahara” package in Ubuntu:
Confirmed
Status in “mahara” source package in Lucid:
Confirmed
Status in “mahara” source package in Maverick:
Confirmed
Status in “mahara” source package in Natty:
Confirmed
Status in “mahara” source package in Oneiric:
Confirmed
Status in “mahara” source package in Precise:
Confirmed
Bug description:
Here are patches to fix a number of very serious security issues in
lucid, maverick, natty and oneiric versions of Mahara.
Issues affecting both 1.2.x and 1.4.0 are:
* XSS in unvalidated URI attributes
- CVE-2011-2771
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4135
* DoS attack via invalid or excessively large images
- CVE-2011-2772
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4133
* XSRF allowing attackers to trick an admin into adding them to an institution
- CVE-2011-2773
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4137
* Prevent masquerading users from jumping via XMLRPC as others
- CVE pending from oss-sec list via debian security list
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4138
One issue affects the 1.4.0 version of Mahara in Oneiric:
* Information disclosure exposing private messages
- CVE-2011-2774
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4134
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/888358/+subscriptions