mahara-packaging team mailing list archive
-
mahara-packaging team
-
Mailing list archive
-
Message #00082
[Bug 888358] Re: Several security updates for Mahara
This bug was fixed in the package mahara - 1.2.4-1ubuntu0.4
---------------
mahara (1.2.4-1ubuntu0.4) lucid-security; urgency=low
* SECURITY UPDATE: XSS in unvalidated URI attributes
- Added a filter to sanitise user input urls (LP: #888358)
- debian/patches/CVE-2011-2771.patch: upstream patch
- CVE-2011-2771
* SECURITY UPDATE: DoS attack via invalid or excessively large images
- Added a check to evaluate available memory before processing
(LP: #888358)
- debian/patches/CVE-2011-2772.patch: upstream patch
- CVE-2011-2772
* SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
them to an institution
- Session check added (LP: #888358)
- debian/patches/CVE-2011-2773.patch: upstream patch
- CVE-2011-2773
* SECURITY UPDATE: Prevent masquerading users from jumping as others
- Added a check to prevent jumping as other users. (LP: #888358)
- debian/patches/mnet_masquerading.patch: upstream patch
-- Melissa Draper <melissa@xxxxxxxxxxxxxxx> Wed, 02 Nov 2011 21:26:46 +0000
--
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/888358
Title:
Several security updates for Mahara
Status in “mahara” package in Ubuntu:
Fix Released
Status in “mahara” source package in Lucid:
Fix Released
Status in “mahara” source package in Maverick:
Fix Released
Status in “mahara” source package in Natty:
Fix Released
Status in “mahara” source package in Oneiric:
Fix Released
Status in “mahara” source package in Precise:
Fix Released
Bug description:
Here are patches to fix a number of very serious security issues in
lucid, maverick, natty and oneiric versions of Mahara.
Issues affecting both 1.2.x and 1.4.0 are:
* XSS in unvalidated URI attributes
- CVE-2011-2771
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4135
* DoS attack via invalid or excessively large images
- CVE-2011-2772
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4133
* XSRF allowing attackers to trick an admin into adding them to an institution
- CVE-2011-2773
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4137
* Prevent masquerading users from jumping via XMLRPC as others
- CVE pending from oss-sec list via debian security list
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4138
One issue affects the 1.4.0 version of Mahara in Oneiric:
* Information disclosure exposing private messages
- CVE-2011-2774
- Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4134
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/888358/+subscriptions