Ubuntu
mahara package

  1. Bug #888358
  2. Comment #14

Comment 14 for bug 888358

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.4.0-1ubuntu0.1

---------------
mahara (1.4.0-1ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: XSS in unvalidated URI attributes
    - Added a filter to sanitise user input urls (LP: #888358)
    - debian/patches/CVE-2011-2771.patch: upstream patch
    - CVE-2011-2771

  * SECURITY UPDATE: DoS attack via invalid or excessively large images
    - Added a check to evaluate available memory before processing
      (LP: #888358)
    - debian/patches/CVE-2011-2772.patch: upstream patch
    - CVE-2011-2772

  * SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
    them to an institution
    - remove unreferenced and vulnerable addtoinstitution.php (LP: #888358)
    - debian/patches/CVE-2011-2773.patch: upstream patch
    - CVE-2011-2773

  * SECURITY UPDATE: Information disclosure exposing private messages
    - User check to ensure they are conversation participant (LP: #888358)
    - debian/patches/CVE-2011-2774.patch: upstream patch
    - CVE-2011-2774

  * SECURITY UPDATE: Prevent masquerading users from jumping as others
    - Added a check to prevent jumping as other users. (LP: #888358)
    - debian/patches/mnet_masquerading.patch: upstream patch
 -- Melissa Draper <email address hidden> Thu, 03 Nov 2011 22:32:45 +0000