Ubuntu
mahara package

Sync mahara 1.2.5-1 (universe) from Debian unstable (main)

Bug #602772 reported by Michael Bienia
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mahara (Ubuntu)
Fix Released
Wishlist
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Wishlist
Unassigned

Bug Description

Please sync mahara 1.2.5-1 (universe) from Debian unstable (main)

Changelog entries since current maverick version 1.2.4-1:

mahara (1.2.5-1) unstable; urgency=high

  * New upstream release
    - multiple cross-site scripting vulnerabilities (CVE-2010-1667)
    - multiple cross-site request forgery vulnerabilities (CVE-2010-1668)
    - sql injection (CVE-2010-1669)
    - unsafe auth plugins configuration options (CVE-2010-1670)

  * Use system's version of HTML purifier (CVE-2010-2479)
  * Add missing symlink to PEAR's File module to fix csv parsing

  * Remove reference to the common BSD license in debian/copyright
  * Bump Standards-Version to 3.9.0

 -- Francois Marier <email address hidden> Mon, 05 Jul 2010 15:45:27 +1200

Tags: patch
Michael Bienia (geser)
Changed in mahara (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
François Marier (fmarier)
security vulnerability: no → yes
Revision history for this message
François Marier (fmarier) wrote :
Revision history for this message
François Marier (fmarier) wrote :
Revision history for this message
François Marier (fmarier) wrote :
Revision history for this message
François Marier (fmarier) wrote :

I have just attached debdiffs for jaunty, karmic and lucid to fix all 5 CVE bugs (tested on each Ubuntu release).

Jamie Strandboge (jdstrand)
tags: added: patch
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

2010-07-08 15:08:04 INFO - <mahara_1.2.5.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
[Updating] mahara (1.2.4-1 [Ubuntu] < 1.2.5-2 [Debian])
 * Trying to add mahara...
2010-07-08 15:08:05 INFO - <mahara_1.2.5-2.dsc: downloading from http://ftp.debian.org/debian/>
2010-07-08 15:08:05 INFO - <mahara_1.2.5-2.debian.tar.gz: downloading from http://ftp.debian.org/debian/>
I: mahara [universe] -> mahara_1.2.4-1 [universe].
I: mahara [universe] -> mahara-apache2_1.2.4-1 [universe].

Changed in mahara (Ubuntu Maverick):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Francois, thanks for the patches! I have uploaded these to our security queue and will publish them after they finish building.

Changed in mahara (Ubuntu Lucid):
status: New → Fix Committed
Changed in mahara (Ubuntu Jaunty):
status: New → Fix Committed
Changed in mahara (Ubuntu Karmic):
status: New → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

mahara (1.2.4-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting vulnerabilities
    - debian/patches/CVE-2010-1667.patch: upstream patch
    - CVE-2010-1667

  * SECURITY UPDATE: multiple cross-site request forgery vulnerabilities
    - debian/patches/CVE-2010-1668.patch: upstream patch
    - CVE-2010-1668

  * SECURITY UPDATE: SQL injection
    - debian/patches/CVE-2010-1669.patch: upstream patch
    - CVE-2010-1669

  * SECURITY UPDATE: unsafe auth plugins configuration options
    - debian/patches/CVE-2010-1670.patch: upstream patch
    - CVE-2010-1670

  * SECURITY UPDATE: IE-only cross-site scripting bug in HTML Purifier
    - depend on php-htmlpurifier and stop using the bundled version
    - CVE-2010-2479

Changed in mahara (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

mahara (1.1.5-1ubuntu0.3) karmic-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting vulnerabilities
    - debian/patches/CVE-2010-1667.dpatch: upstream patch
    - CVE-2010-1667

  * SECURITY UPDATE: multiple cross-site request forgery vulnerabilities
    - debian/patches/CVE-2010-1668.dpatch: upstream patch
    - CVE-2010-1668

  * SECURITY UPDATE: SQL injection
    - debian/patches/CVE-2010-1669.dpatch: upstream patch
    - CVE-2010-1669

  * SECURITY UPDATE: unsafe auth plugins configuration options
    - debian/patches/CVE-2010-1670.dpatch: upstream patch
    - CVE-2010-1670

  * SECURITY UPDATE: IE-only cross-site scripting bug in HTML Purifier
    - depend on php-htmlpurifier and stop using the bundled version
    - CVE-2010-2479

Changed in mahara (Ubuntu Karmic):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

mahara (1.0.9-2ubuntu0.7) jaunty-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting vulnerabilities
    - debian/patches/CVE-2010-1667.dpatch: upstream patch
    - CVE-2010-1667

  * SECURITY UPDATE: multiple cross-site request forgery vulnerabilities
    - debian/patches/CVE-2010-1668.dpatch: upstream patch
    - CVE-2010-1668

  * SECURITY UPDATE: unsafe auth plugins configuration options
    - debian/patches/CVE-2010-1670.dpatch: upstream patch
    - CVE-2010-1670

  * SECURITY UPDATE: IE-only cross-site scripting bug in HTML Purifier
    - debian/patches/CVE-2010-2479.dpatch: upstream patch
    - CVE-2010-2479

Changed in mahara (Ubuntu Jaunty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.