* SECURITY UPDATE: XSS in unvalidated URI attributes
- Added a filter to sanitise user input urls (LP: #888358)
- debian/patches/CVE-2011-2771.patch: upstream patch
- CVE-2011-2771
* SECURITY UPDATE: DoS attack via invalid or excessively large images
- Added a check to evaluate available memory before processing
(LP: #888358)
- debian/patches/CVE-2011-2772.patch: upstream patch
- CVE-2011-2772
* SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
them to an institution
- remove unreferenced and vulnerable addtoinstitution.php (LP: #888358)
- debian/patches/CVE-2011-2773.patch: upstream patch
- CVE-2011-2773
* SECURITY UPDATE: Information disclosure exposing private messages
- User check to ensure they are conversation participant (LP: #888358)
- debian/patches/CVE-2011-2774.patch: upstream patch
- CVE-2011-2774
* SECURITY UPDATE: Prevent masquerading users from jumping as others
- Added a check to prevent jumping as other users. (LP: #888358)
- debian/patches/mnet_masquerading.patch: upstream patch
-- Melissa Draper <email address hidden> Thu, 03 Nov 2011 22:32:45 +0000
This bug was fixed in the package mahara - 1.4.0-1ubuntu0.1
---------------
mahara (1.4.0-1ubuntu0.1) oneiric-security; urgency=low
* SECURITY UPDATE: XSS in unvalidated URI attributes patches/ CVE-2011- 2771.patch: upstream patch
- Added a filter to sanitise user input urls (LP: #888358)
- debian/
- CVE-2011-2771
* SECURITY UPDATE: DoS attack via invalid or excessively large images patches/ CVE-2011- 2772.patch: upstream patch
- Added a check to evaluate available memory before processing
(LP: #888358)
- debian/
- CVE-2011-2772
* SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding n.php (LP: #888358) patches/ CVE-2011- 2773.patch: upstream patch
them to an institution
- remove unreferenced and vulnerable addtoinstitutio
- debian/
- CVE-2011-2773
* SECURITY UPDATE: Information disclosure exposing private messages patches/ CVE-2011- 2774.patch: upstream patch
- User check to ensure they are conversation participant (LP: #888358)
- debian/
- CVE-2011-2774
* SECURITY UPDATE: Prevent masquerading users from jumping as others patches/ mnet_masqueradi ng.patch: upstream patch
- Added a check to prevent jumping as other users. (LP: #888358)
- debian/
-- Melissa Draper <email address hidden> Thu, 03 Nov 2011 22:32:45 +0000