Ubuntu
mahara package

Major security updates for Mahara

  1. Natty (11.04)
  2. Bug #780917
Bug #780917 reported by François Marier
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mahara (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
High
Unassigned
Maverick
Fix Released
High
Unassigned
Natty
Fix Released
High
Unassigned
Oneiric
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: mahara

Here are packages to fix a number of very serious security issues in all versions of Mahara:

 * fixes to session key validation (CSRF)
 * privilege escalations
 * information disclosure in AJAX calls
 * https to http downgrade
 * sanitisation of HTML emails

Tags: patch
Revision history for this message
François Marier (fmarier) wrote :
visibility: private → public
Revision history for this message
François Marier (fmarier) wrote :
Revision history for this message
François Marier (fmarier) wrote :
Revision history for this message
François Marier (fmarier) wrote :

All of these patches were tested in their respective distro versions.

Revision history for this message
François Marier (fmarier) wrote :

Upstream advisories are here:

  http://mahara.org/interaction/forum/topic.php?id=3539
  http://mahara.org/interaction/forum/topic.php?id=3540
  http://mahara.org/interaction/forum/topic.php?id=3541
  http://mahara.org/interaction/forum/topic.php?id=3542
  http://mahara.org/interaction/forum/topic.php?id=3543

Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the patches!

Adding ubuntu-security-sponsors to subscribers as per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue (which is why this didn't show up on our reports and wasn't tended to yet).

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Oneiric has 1.3.6-1, which is not vulnerable.

Changed in mahara (Ubuntu Oneiric):
status: New → Fix Released
Changed in mahara (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → High
Changed in mahara (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → High
Changed in mahara (Ubuntu Natty):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs! Packages are building now and will be released today.

Changed in mahara (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Maverick):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Natty):
status: Triaged → Fix Committed
Marc Deslauriers (mdeslaur)
Changed in mahara (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.