mahara-packaging team mailing list archive

Thread
Date

[Bug 888358] Re: Several security updates for Mahara

To: mahara-packaging@xxxxxxxxxxxxxxxxxxx
From: Steve Beattie <sbeattie@xxxxxxxxxx>
Date: Tue, 15 Nov 2011 08:01:06 -0000
Reply-to: Bug 888358 <888358@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Melissa,

In the oneiric debdiff, the patch for CVE-2011-2773 is significantly
different from the one for prior versions (it removes
addtoinstitution.php outright where the others add the session check).
Based on perusing bug 800032, I'm assuming this is intended and will
adjust the changelog to match.

Assigning the tasks to myself. Thanks

** Changed in: mahara (Ubuntu Lucid)
     Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: mahara (Ubuntu Maverick)
     Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: mahara (Ubuntu Natty)
     Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: mahara (Ubuntu Oneiric)
     Assignee: (unassigned) => Steve Beattie (sbeattie)

-- 
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/888358

Title:
  Several security updates for Mahara

Status in “mahara” package in Ubuntu:
  Confirmed
Status in “mahara” source package in Lucid:
  Confirmed
Status in “mahara” source package in Maverick:
  Confirmed
Status in “mahara” source package in Natty:
  Confirmed
Status in “mahara” source package in Oneiric:
  Confirmed
Status in “mahara” source package in Precise:
  Confirmed

Bug description:
  Here are patches to fix a number of very serious security issues in
  lucid, maverick, natty and oneiric versions of Mahara.

  Issues affecting both 1.2.x and 1.4.0 are:

    * XSS in unvalidated URI attributes
      - CVE-2011-2771
      - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4135
   
    * DoS attack via invalid or excessively large images
      - CVE-2011-2772
      - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4133
   
    *  XSRF allowing attackers to trick an admin into adding them to an institution
      - CVE-2011-2773
      - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4137
   
    *  Prevent masquerading users from jumping via XMLRPC as others
      - CVE pending from oss-sec list via debian security list
      - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4138

  One issue affects the 1.4.0 version of Mahara in Oneiric:

     * Information disclosure exposing private messages
       - CVE-2011-2774
       - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4134

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/888358/+subscriptions