diff -Nru mahara-1.4.1/ChangeLog mahara-1.4.2/ChangeLog
--- mahara-1.4.1/ChangeLog	2011-11-01 10:06:08.000000000 +0530
+++ mahara-1.4.2/ChangeLog	2012-03-06 06:09:13.000000000 +0530
@@ -1,3 +1,11 @@
+1.4.2 (2012-03-06)
+- Fix PHP Fatal Error in user/view.php (Bug #885588)
+- Fixes to Selenium tests
+- Blog block pagination bug prevents images from being displayed (Bug #886581)
+- Fixed youtube filter Bug #884438
+- Ensure that default SAML behaviour is to match user to remote user name (Bug #932909)
+- Update the registration URL to support SSL (Bug #943772)
+
 1.4.1 (2011-11-01)
 - XSS in unvalidated URI attributes (CVE-2011-2771)
 - Information disclosure exposing private messages (CVE-2011-2774)
diff -Nru mahara-1.4.1/debian/changelog mahara-1.4.2/debian/changelog
--- mahara-1.4.1/debian/changelog	2011-11-04 04:49:25.000000000 +0530
+++ mahara-1.4.2/debian/changelog	2012-03-26 10:00:50.000000000 +0530
@@ -1,3 +1,11 @@
+mahara (1.4.2-1) unstable; urgency=high
+
+  * New upstream release
+  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
+    - Default configuration changed to prevent impersonation
+
+ -- Melissa Draper <melissa@catalyst.net.nz>  Wed, 14 Mar 2012 01:53:32 +0000
+
 mahara (1.4.1-1) unstable; urgency=low
 
   * New upstream release
diff -Nru mahara-1.4.1/debian/control mahara-1.4.2/debian/control
--- mahara-1.4.1/debian/control	2011-11-04 04:49:25.000000000 +0530
+++ mahara-1.4.2/debian/control	2012-03-26 10:00:50.000000000 +0530
@@ -2,7 +2,7 @@
 Section: web
 Priority: optional
 Maintainer: Mahara Packaging Team <mahara-packaging@lists.launchpad.net>
-Uploaders: Francois Marier <francois@debian.org>
+Uploaders: Melissa Draper <melissa@catalyst.net.nz>
 Build-Depends: debhelper (>= 8), po-debconf
 Standards-Version: 3.9.2
 Homepage: http://www.mahara.org
diff -Nru mahara-1.4.1/htdocs/artefact/blog/posts.json.php mahara-1.4.2/htdocs/artefact/blog/posts.json.php
--- mahara-1.4.1/htdocs/artefact/blog/posts.json.php	2011-11-01 10:06:08.000000000 +0530
+++ mahara-1.4.2/htdocs/artefact/blog/posts.json.php	2012-03-06 06:09:13.000000000 +0530
@@ -44,6 +44,7 @@
     $configdata = $bi->get('configdata');
     $limit  = isset($configdata['count']) ? $configdata['count'] : 5;
     $configdata['countcomments'] = true;
+    $configdata['viewid'] = $bi->get('view');
     $posts = ArtefactTypeBlogpost::get_posts($configdata['artefactid'], $limit, $offset, $configdata);
     $template = 'artefact:blog:viewposts.tpl';
     $pagination = array(
@@ -52,7 +53,6 @@
         'datatable' => 'postlist_' . $blockid,
         'jsonscript' => 'artefact/blog/posts.json.php',
     );
-    $configdata['viewid'] = $bi->get('view');
     ArtefactTypeBlogpost::render_posts($posts, $template, $configdata, $pagination);
 }
 else {
diff -Nru mahara-1.4.1/htdocs/auth/saml/lang/en.utf8/auth.saml.php mahara-1.4.2/htdocs/auth/saml/lang/en.utf8/auth.saml.php
--- mahara-1.4.1/htdocs/auth/saml/lang/en.utf8/auth.saml.php	2011-11-01 10:06:08.000000000 +0530
+++ mahara-1.4.2/htdocs/auth/saml/lang/en.utf8/auth.saml.php	2012-03-06 06:09:13.000000000 +0530
@@ -36,7 +36,7 @@
 $string['errorbadconfig'] = 'SimpleSAMLPHP config directory %s is in correct.';
 $string['errorbadcombo'] = 'You can only choose user auto creation if you have not selected remoteuser';
 $string['errormissinguserattributes'] = 'You seem to be authenticated but we did not receive the required user attributes. Please check that your Identity Provider releases these SSO fields for First Name, Surname, and Email to the Service Provider Mahara is running on or inform the webmaster of this server.';
-//$string['idpidentity'] = 'IdP Identity Service';
+$string['errorremoteuser'] = 'Matching on remoteuser is mandatory if usersuniquebyusername is turned off';
 $string['institutionattribute'] = 'Institution attribute (contains "%s")';
 $string['institutionvalue'] = 'Institution value to check against attribute';
 $string['institutionregex'] = 'Do partial string match with institution shortname';
diff -Nru mahara-1.4.1/htdocs/auth/saml/lib.php mahara-1.4.2/htdocs/auth/saml/lib.php
--- mahara-1.4.1/htdocs/auth/saml/lib.php	2011-11-01 10:06:08.000000000 +0530
+++ mahara-1.4.2/htdocs/auth/saml/lib.php	2012-03-06 06:09:13.000000000 +0530
@@ -47,7 +47,7 @@
         $this->config['institutionregex'] = 0;
         $this->config['institutionvalue'] = '';
         $this->config['updateuserinfoonlogin'] = 1;
-        $this->config['remoteuser'] = false;
+        $this->config['remoteuser'] = true;
         $this->instanceid = $id;
         
         if (!empty($id)) {
@@ -106,6 +106,7 @@
 
         // Retrieve a $user object. If that fails, create a blank one.
         try {
+            $isremote = $this->config['remoteuser'] ? true : false;
             $user = new User;
             if (get_config('usersuniquebyusername')) {
                 // When turned on, this setting means that it doesn't matter 
@@ -136,9 +137,15 @@
                         . "somewhere else. Please turn this setting on in Site Options");
                     throw new AccessDeniedException();
                 }
-
             }
-            $isremote = $this->config['remoteuser'] ? true : false;
+            else {
+                if (!$isremote){
+                    log_warn("usersuniquebyusername is turned off but remoteuser has not been set on for this institution: $institutionname. "
+                        . "This is a security risk as users from different institutions with different IdPs can hijack "
+                        . "each others accounts.  Fix this in the institution level auth/saml settings.");
+                    throw new AccessDeniedException();
+                }
+            }
             if ($isremote) {
                 $user->find_by_instanceid_username($this->instanceid, $remoteuser, $isremote);
             }
@@ -282,7 +289,7 @@
         'institutionattribute'  => '',
         'institutionvalue'      => '',
         'institutionregex'      => 0,
-        'remoteuser'            => 0,
+        'remoteuser'            => 1,
             );
 
     public static function has_config() {
@@ -472,6 +479,10 @@
                 $form->set_error('simplesamlphpconfig', get_string('errorbadconfig', 'auth.saml', $values['simplesamlphpconfig']));
             }
         }
+        // only allow remoteuser to be unset if usersuniquebyusername is NOT set
+        if (isset($values['remoteuser']) && !get_config('usersuniquebyusername') && !$values['remoteuser']) {
+            $form->set_error('remoteuser', get_string('errorremoteuser', 'auth.saml'));
+        }
         if (isset($values['weautocreateusers'])) {
             if ($values['weautocreateusers'] && $values['remoteuser']) {
                 $form->set_error('weautocreateusers', get_string('errorbadcombo', 'auth.saml'));
diff -Nru mahara-1.4.1/htdocs/lib/htmlpurifiercustom/YouTubeIframe.php mahara-1.4.2/htdocs/lib/htmlpurifiercustom/YouTubeIframe.php
--- mahara-1.4.1/htdocs/lib/htmlpurifiercustom/YouTubeIframe.php	2011-11-01 10:06:08.000000000 +0530
+++ mahara-1.4.2/htdocs/lib/htmlpurifiercustom/YouTubeIframe.php	2012-03-06 06:09:13.000000000 +0530
@@ -1,18 +1,20 @@
 <?php
 
+define('VIDEOID_REGEXP', '[A-Za-z0-9_\-.,@+^]+');
+
 class HTMLPurifier_Filter_YouTubeIframe extends HTMLPurifier_Filter
 {
 
     public $name = 'YouTubeIframe';
 
     public function preFilter($html, $config, $context) {
-        $pre_regex = '#<iframe\b[a-zA-Z0-9/"=-\s]+?\bsrc="http://www.youtube.com/embed/([A-Za-z0-9]+)"[a-zA-Z0-9/"=-\s]*?></iframe>#';
+        $pre_regex = '#<iframe\b[a-zA-Z0-9/"=-\s]+?\bsrc="https?://www.youtube.com/embed/('. VIDEOID_REGEXP . ')(\?[^"]*)?"[^>]*></iframe>#';
         $pre_replace = '<span class="youtube-iframe">\1</span>';
         return preg_replace($pre_regex, $pre_replace, $html);
     }
 
     public function postFilter($html, $config, $context) {
-        $post_regex = '#<span class="youtube-iframe">([A-Za-z0-9]+)</span>#';
+        $post_regex = '#<span class="youtube-iframe">('. VIDEOID_REGEXP . ')</span>#';
         return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
     }
 
diff -Nru mahara-1.4.1/htdocs/lib/registration.php mahara-1.4.2/htdocs/lib/registration.php
--- mahara-1.4.1/htdocs/lib/registration.php	2011-11-01 10:06:08.000000000 +0530
+++ mahara-1.4.2/htdocs/lib/registration.php	2012-03-06 06:09:13.000000000 +0530
@@ -109,7 +109,7 @@
  * Worker - performs sending of registration data to mahara.org
  */
 function registration_send_data() {
-    $registrationurl = 'http://mahara.org/api/registration.php';
+    $registrationurl = 'https://mahara.org/api/registration.php';
     $data = registration_data();
     $request = array(
         CURLOPT_URL        => $registrationurl,
diff -Nru mahara-1.4.1/htdocs/lib/version.php mahara-1.4.2/htdocs/lib/version.php
--- mahara-1.4.1/htdocs/lib/version.php	2011-11-01 10:06:08.000000000 +0530
+++ mahara-1.4.2/htdocs/lib/version.php	2012-03-06 06:09:13.000000000 +0530
@@ -28,8 +28,8 @@
 defined('INTERNAL') || die();
 
 $config = new StdClass;
-$config->version = 2011061004;
-$config->release = '1.4.1';
+$config->version = 2011061006;
+$config->release = '1.4.2';
 $config->minupgradefrom = 2008040200;
 $config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)';
 $config->disablelogin = true;
diff -Nru mahara-1.4.1/htdocs/user/view.php mahara-1.4.2/htdocs/user/view.php
--- mahara-1.4.1/htdocs/user/view.php	2011-11-01 10:06:08.000000000 +0530
+++ mahara-1.4.2/htdocs/user/view.php	2012-03-06 06:09:13.000000000 +0530
@@ -64,9 +64,13 @@
     $view = $userobj->get_profile_view();
 }
 
+if (!$view) {
+    throw new AccessDeniedException(get_string('youcannotviewthisusersprofile', 'error'));
+}
+
 $viewid = $view->get('id');
 # access will either be logged in (always) or public as well
-if (!$view || !can_view_view($viewid)) {
+if (!can_view_view($viewid)) {
     throw new AccessDeniedException(get_string('youcannotviewthisusersprofile', 'error'));
 }