mahara-packaging team mailing list archive
-
mahara-packaging team
-
Mailing list archive
-
Message #00092
[Bug 958841] Re: Minor security update for Mahara
** Description changed:
+ [Problem]
+ Minor security issue in past versions of Mahara.
+
[Impact]
- <fill me in with explanation of severity and frequency of bug on users and justification for backporting the fix to the stable release>
+ Security issue. Could allow for impersonation.
[Development Fix]
- <fill me in with an explanation of how the bug has been addressed in the development branch, including the relevant version numbers of packages modified in order to implement the fix. >
+ Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774). This version was sync'd into Ubuntu precise.
+
[Stable Fix]
- <fill me in by pointing out a minimal patch applicable to the stable version of the package.>
+ lucid, maverick, and natty carry 1.2.x which is affected by this issue. oneiric carries 1.4.0 and is also affected. Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.
[Text Case]
<fill me in with detailed *instructions* on how to reproduce the bug. This will be used by people later on to verify the updated package fixes the problem.>
1.
2.
3.
- Broken Behavior:
- Fixed Behavior:
+ Broken Behavior:
+ Fixed Behavior:
[Regression Potential]
- <fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.
+ <fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.
[Original Report]
Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara
The issue affects both 1.2.x and 1.4.x
* Fix default config for sites with multiple SAML instances
- Default configuration changed to prevent impersonation
- https://mahara.org/interaction/forum/topic.php?id=4367
--
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/958841
Title:
Minor security update for Mahara
Status in “mahara” package in Ubuntu:
Confirmed
Status in “mahara” source package in Lucid:
Confirmed
Status in “mahara” source package in Maverick:
Confirmed
Status in “mahara” source package in Natty:
Confirmed
Status in “mahara” source package in Oneiric:
Confirmed
Status in “mahara” source package in Precise:
Confirmed
Bug description:
[Problem]
Minor security issue in past versions of Mahara.
[Impact]
Security issue. Could allow for impersonation.
[Development Fix]
Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774). This version was sync'd into Ubuntu precise.
[Stable Fix]
lucid, maverick, and natty carry 1.2.x which is affected by this issue. oneiric carries 1.4.0 and is also affected. Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.
[Text Case]
<fill me in with detailed *instructions* on how to reproduce the bug. This will be used by people later on to verify the updated package fixes the problem.>
1.
2.
3.
Broken Behavior:
Fixed Behavior:
[Regression Potential]
<fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.
[Original Report]
Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara
The issue affects both 1.2.x and 1.4.x
* Fix default config for sites with multiple SAML instances
- Default configuration changed to prevent impersonation
- https://mahara.org/interaction/forum/topic.php?id=4367
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/958841/+subscriptions