Several security updates for Mahara
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mahara (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Steve Beattie | ||
Maverick |
Fix Released
|
High
|
Steve Beattie | ||
Natty |
Fix Released
|
High
|
Steve Beattie | ||
Oneiric |
Fix Released
|
High
|
Steve Beattie | ||
Precise |
Fix Released
|
High
|
Unassigned |
Bug Description
Here are patches to fix a number of very serious security issues in lucid, maverick, natty and oneiric versions of Mahara.
Issues affecting both 1.2.x and 1.4.0 are:
* XSS in unvalidated URI attributes
- CVE-2011-2771
- Upstream advisory: http://
* DoS attack via invalid or excessively large images
- CVE-2011-2772
- Upstream advisory: http://
* XSRF allowing attackers to trick an admin into adding them to an institution
- CVE-2011-2773
- Upstream advisory: http://
* Prevent masquerading users from jumping via XMLRPC as others
- CVE pending from oss-sec list via debian security list
- Upstream advisory: http://
One issue affects the 1.4.0 version of Mahara in Oneiric:
* Information disclosure exposing private messages
- CVE-2011-2774
- Upstream advisory: http://
Changed in mahara (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in mahara (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in mahara (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in mahara (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in mahara (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in mahara (Ubuntu Lucid): | |
importance: | Undecided → High |
Changed in mahara (Ubuntu Maverick): | |
importance: | Undecided → High |
Changed in mahara (Ubuntu Natty): | |
importance: | Undecided → High |
Changed in mahara (Ubuntu Oneiric): | |
importance: | Undecided → High |
Changed in mahara (Ubuntu Precise): | |
importance: | Undecided → High |
Thanks for reporting this bug and attaching a series of debdiffs. As these are security uploads, they need to be sponsored by the security team.
The patches look great. Whilst reviewing, I did notice a couple of trivial things: patches/ *.patch: Great to see use of DEP-5 headers, although it's not clear to me if these patches are actually applied upstream or just submitted (useful to know when they can be dropped).
- debian/control: The Maintainer field update wouldn't normally be appropriate for a stable release update
- debian/changelog:
- It is convention to wrap at 80 chars.
- No LP: #888358, which will close these bugs.
- The CVE numbers should be quoted on a standalone line.
- "How the bad guys can win" is described, but a high level comment /how/ it is resolved isn't documented.
- debian/
For an example of changelog formatting for security uploads, please see the template on: /wiki.ubuntu. com/SecurityTea m/UpdatePrepara tion#Update_ the_packaging
https:/
Thanks.