mahara-packaging team mailing list archive

Thread
Date

[Bug 958841] Re: Minor security update for Mahara

To: mahara-packaging@xxxxxxxxxxxxxxxxxxx
From: Bryce Harrington <958841@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Mar 2012 21:30:49 -0000
Reply-to: Bug 958841 <958841@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara (Ubuntu Lucid)
       Status: Confirmed => Triaged

** Changed in: mahara (Ubuntu Maverick)
       Status: Confirmed => Triaged

** Changed in: mahara (Ubuntu Oneiric)
       Status: Confirmed => Triaged

** Changed in: mahara (Ubuntu Natty)
       Status: Confirmed => Triaged

** Changed in: mahara (Ubuntu Precise)
       Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/958841

Title:
  Minor security update for Mahara

Status in “mahara” package in Ubuntu:
  Triaged
Status in “mahara” source package in Lucid:
  Triaged
Status in “mahara” source package in Maverick:
  Triaged
Status in “mahara” source package in Natty:
  Triaged
Status in “mahara” source package in Oneiric:
  Triaged
Status in “mahara” source package in Precise:
  Triaged

Bug description:
  [Problem]
  Minor security issue in past versions of Mahara.

  [Impact]
  Security issue.  Could allow for impersonation.

  [Development Fix]
  Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774).  This version was sync'd into Ubuntu precise.

  
  [Stable Fix]
  lucid, maverick, and natty carry 1.2.x which is affected by this issue.  oneiric carries 1.4.0 and is also affected.  Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.

  [Text Case]
  <fill me in with detailed *instructions* on how to reproduce the bug.  This will be used by people later on to verify the updated package fixes the problem.>
  1.
  2.
  3.
  Broken Behavior:
  Fixed Behavior:

  [Regression Potential]
  <fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.

  [Original Report]
  Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara

  The issue affects both 1.2.x and 1.4.x

   * Fix default config for sites with multiple SAML instances
     - Default configuration changed to prevent impersonation
     - https://mahara.org/interaction/forum/topic.php?id=4367

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/958841/+subscriptions