mahara-packaging team mailing list archive

Thread
Date
[Bug 958841] Re: Minor security update for Mahara

To: mahara-packaging@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <958841@xxxxxxxxxxxxxxxxxx>
Date: Fri, 23 Mar 2012 06:03:55 -0000
Reply-to: Bug 958841 <958841@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package mahara - 1.4.0-1ubuntu0.2

---------------
mahara (1.4.0-1ubuntu0.2) oneiric-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <melissa@xxxxxxxxxxxxxxx>   Wed, 21 Mar 2012 14:43:12 +1300

** Changed in: mahara (Ubuntu Oneiric)
       Status: Fix Committed => Fix Released

** Changed in: mahara (Ubuntu Natty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/958841

Title:
  Minor security update for Mahara

Status in “mahara” package in Ubuntu:
  Fix Released
Status in “mahara” source package in Lucid:
  Fix Released
Status in “mahara” source package in Maverick:
  Fix Released
Status in “mahara” source package in Natty:
  Fix Released
Status in “mahara” source package in Oneiric:
  Fix Released
Status in “mahara” source package in Precise:
  Fix Released

Bug description:
  [Problem]
  Minor security issue in past versions of Mahara.

  By default, SAML authentication instances have the "Match username
  attribute to Remote username" setting unchecked.  This means that a
  user logging in using single sign-on will log in as the local Mahara
  user whose Mahara username matches their SAML username attribute.

  [Impact]
  Security issue.  Could allow for impersonation.  Only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider.  Would allow administrators of one institution to control users in other institutions.

  [Development Fix]
  Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774).  This version was sync'd into Ubuntu precise.

  [Stable Fix]
  lucid, maverick, and natty carry 1.2.x which is affected by this issue.  oneiric carries 1.4.0 and is also affected.  Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.

  [Text Case]
  1. Set up mahara with the SAML plugin
  2. Set up multiple SAML instances
  3. Use default configuration
  4. Set up a remote SAML username that matches a local Mahara user
  5. Log on using single sign-on
  Broken Behavior:
  In config, "Match username attribute to Remote username"  is unchecked.
  Allows gaining control over the local Mara user account.

  Fixed Behavior:
  "Match username attribute to Remote username"  is enabled by default.

  [Regression Potential]
  Unknown

  [Original Report]
  Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara

  The issue affects both 1.2.x and 1.4.x

   * Fix default config for sites with multiple SAML instances
     - Default configuration changed to prevent impersonation
     - https://mahara.org/interaction/forum/topic.php?id=4367

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/958841/+subscriptions