diff -Nru mahara-1.2.5/debian/changelog mahara-1.2.5/debian/changelog
--- mahara-1.2.5/debian/changelog	2010-07-06 17:36:34.000000000 +1200
+++ mahara-1.2.5/debian/changelog	2011-03-18 17:16:19.000000000 +1300
@@ -1,3 +1,15 @@
+mahara (1.2.5-2+ubuntu0.1) natty-security; urgency=low
+
+  * SECURITY UPDATE: cross-site scripting vulnerability
+    - debian/patches/CVE-2011-0439.dpatch: upstream patch
+    - CVE-2011-0439
+
+  * SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
+    - debian/patches/CVE-2011-0440.dpatch: upstream patch
+    - CVE-2011-0440
+
+ -- Francois Marier <francois@debian.org>  Fri, 18 Mar 2011 15:51:03 +1300
+
 mahara (1.2.5-2) unstable; urgency=low
 
   * Remove postgresql8.3 from recommends, add postgresql8.4
diff -Nru mahara-1.2.5/debian/patches/CVE-2011-0439.patch mahara-1.2.5/debian/patches/CVE-2011-0439.patch
--- mahara-1.2.5/debian/patches/CVE-2011-0439.patch	1970-01-01 12:00:00.000000000 +1200
+++ mahara-1.2.5/debian/patches/CVE-2011-0439.patch	2011-03-18 17:16:19.000000000 +1300
@@ -0,0 +1,17 @@
+Author: Richard Mansfield <richard.mansfield@catalyst.net.nz>
+Description: Fix for XSS in select boxes
+Origin: upstream, commit:3b1dc78070988b68fa7a8495c19957d83c204d95
+Bug: https://bugs.launchpad.net/mahara/+bug/710428
+Last-Update: 2011-03-18
+
+--- a/htdocs/lib/pieforms/pieform/rules/validateoptions.php
++++ b/htdocs/lib/pieforms/pieform/rules/validateoptions.php
+@@ -42,7 +42,7 @@ function pieform_rule_validateoptions(Pieform $form, $field, $element) {/*{{{*/
+     $allowedvalues = array_keys($element['options']);
+     foreach ($field as $key) {
+         if (!in_array($key, $allowedvalues)) {
+-            return sprintf($form->i18n('rule', 'validateoptions', 'validateoptions', $element), $key);
++            return sprintf($form->i18n('rule', 'validateoptions', 'validateoptions', $element), Pieform::hsc($key));
+         }
+     }
+ }/*}}}*/
diff -Nru mahara-1.2.5/debian/patches/CVE-2011-0440.patch mahara-1.2.5/debian/patches/CVE-2011-0440.patch
--- mahara-1.2.5/debian/patches/CVE-2011-0440.patch	1970-01-01 12:00:00.000000000 +1200
+++ mahara-1.2.5/debian/patches/CVE-2011-0440.patch	2011-03-18 17:16:19.000000000 +1300
@@ -0,0 +1,44 @@
+Author: Richard Mansfield <richard.mansfield@catalyst.net.nz>
+Description: add missing check sesskey when deleting blogs (CSRF)
+Origin: upstream, commit:fcee1996e56588f2f0f54f627d3b75e695b03e1b
+Bug: https://bugs.launchpad.net/mahara/+bug/676336
+Last-Update: 2011-03-18
+
+--- a/htdocs/artefact/blog/index.php
++++ b/htdocs/artefact/blog/index.php
+@@ -34,6 +34,7 @@ require(dirname(dirname(dirname(__FILE__))) . '/init.php');
+ safe_require('artefact', 'blog');
+ 
+ if ($delete = param_integer('delete', 0)) {
++    form_validate(param_alphanum('sesskey', null));
+     $blog = artefact_instance_from_id($delete);
+     if ($blog instanceof ArtefactTypeBlog) {
+         $blog->check_permission();
+diff --git a/htdocs/artefact/blog/lib.php b/htdocs/artefact/blog/lib.php
+index 8642b49..585c371 100644
+--- a/htdocs/artefact/blog/lib.php
++++ b/htdocs/artefact/blog/lib.php
+@@ -297,8 +297,10 @@ class ArtefactTypeBlog extends ArtefactType {
+     }
+ 
+     public static function build_blog_list_html(&$blogs) {
++        global $USER;
+         $smarty = smarty_core();
+         $smarty->assign_by_ref('blogs', $blogs);
++        $smarty->assign('SESSKEY', $USER->get('sesskey'));
+         $blogs->tablerows = $smarty->fetch('artefact:blog:bloglist.tpl');
+         $pagination = build_pagination(array(
+             'id' => 'bloglist_pagination',
+diff --git a/htdocs/artefact/blog/theme/raw/bloglist.tpl b/htdocs/artefact/blog/theme/raw/bloglist.tpl
+index c236aca..2a95f77 100644
+--- a/htdocs/artefact/blog/theme/raw/bloglist.tpl
++++ b/htdocs/artefact/blog/theme/raw/bloglist.tpl
+@@ -6,7 +6,7 @@
+       </td>
+       <td class="right">
+         <a href="{$WWWROOT}artefact/blog/settings/?id={$blog->id}" class="btn-settings">{str tag=settings}</a>
+-        <a href="{$WWWROOT}artefact/blog/index.php?delete={$blog->id}" class="btn-del">{str tag=delete}</a>
++        <a href="{$WWWROOT}artefact/blog/index.php?delete={$blog->id}&sesskey={$SESSKEY}" class="btn-del">{str tag=delete}</a>
+         <a href="{$WWWROOT}artefact/blog/post.php?blog={$blog->id}" class="btn-add">{str tag=addpost section=artefact.blog}</a>
+       </td>
+     </tr>
diff -Nru mahara-1.2.5/debian/patches/series mahara-1.2.5/debian/patches/series
--- mahara-1.2.5/debian/patches/series	1970-01-01 12:00:00.000000000 +1200
+++ mahara-1.2.5/debian/patches/series	2011-03-18 17:16:19.000000000 +1300
@@ -0,0 +1,2 @@
+CVE-2011-0439.patch
+CVE-2011-0440.patch