mahara-packaging team mailing list archive
-
mahara-packaging team
-
Mailing list archive
-
Message #00095
[Bug 958841] Re: Minor security update for Mahara
Hi Melissa, thanks for tackling this security issue.
I've verified the packages build, reviewed the patch, and filled in the
SRU description. However, since this targets the -security queue, I am
not able to upload it. So, I will assign it to the security team and
unsub sponsors.
** Changed in: mahara (Ubuntu Lucid)
Status: Triaged => Fix Committed
** Changed in: mahara (Ubuntu Maverick)
Status: Triaged => Fix Committed
** Changed in: mahara (Ubuntu Natty)
Status: Triaged => Fix Committed
** Changed in: mahara (Ubuntu Oneiric)
Status: Triaged => Fix Committed
** Changed in: mahara (Ubuntu Precise)
Status: Triaged => Fix Released
** Changed in: mahara (Ubuntu Lucid)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
** Changed in: mahara (Ubuntu Maverick)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
** Changed in: mahara (Ubuntu Natty)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
** Changed in: mahara (Ubuntu Oneiric)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/958841
Title:
Minor security update for Mahara
Status in “mahara” package in Ubuntu:
Fix Released
Status in “mahara” source package in Lucid:
Fix Committed
Status in “mahara” source package in Maverick:
Fix Committed
Status in “mahara” source package in Natty:
Fix Committed
Status in “mahara” source package in Oneiric:
Fix Committed
Status in “mahara” source package in Precise:
Fix Released
Bug description:
[Problem]
Minor security issue in past versions of Mahara.
By default, SAML authentication instances have the "Match username
attribute to Remote username" setting unchecked. This means that a
user logging in using single sign-on will log in as the local Mahara
user whose Mahara username matches their SAML username attribute.
[Impact]
Security issue. Could allow for impersonation. Only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider. Would allow administrators of one institution to control users in other institutions.
[Development Fix]
Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774). This version was sync'd into Ubuntu precise.
[Stable Fix]
lucid, maverick, and natty carry 1.2.x which is affected by this issue. oneiric carries 1.4.0 and is also affected. Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.
[Text Case]
1. Set up mahara with the SAML plugin
2. Set up multiple SAML instances
3. Use default configuration
4. Set up a remote SAML username that matches a local Mahara user
5. Log on using single sign-on
Broken Behavior:
In config, "Match username attribute to Remote username" is unchecked.
Allows gaining control over the local Mara user account.
Fixed Behavior:
"Match username attribute to Remote username" is enabled by default.
[Regression Potential]
Unknown
[Original Report]
Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara
The issue affects both 1.2.x and 1.4.x
* Fix default config for sites with multiple SAML instances
- Default configuration changed to prevent impersonation
- https://mahara.org/interaction/forum/topic.php?id=4367
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/958841/+subscriptions
