Ubuntu
mahara package

Cross-site scripting vulnerabilities

Bug #390471 reported by François Marier
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mahara (Ubuntu)
Invalid
Undecided
Unassigned
Intrepid
Invalid
Medium
Unassigned
Jaunty
Fix Released
Medium
Unassigned
Karmic
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: mahara

This bug doesn't have yet have a CVE number but it was reported on vendor-sec.

I will upload a debdiff for jaunty.

CVE References

Revision history for this message
François Marier (fmarier) wrote :

(The embargo on this is pretty much over, the upstream announcements will happen in the next hour or two.)

Revision history for this message
François Marier (fmarier) wrote :

This is the upstream announcement:

  http://mahara.org/interaction/forum/topic.php?id=752

François Marier (fmarier)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Karmic now has 1.1.5-1 and is not affected.

Changed in mahara (Ubuntu Karmic):
status: New → Invalid
Changed in mahara (Ubuntu Intrepid):
status: New → In Progress
importance: Undecided → Medium
Changed in mahara (Ubuntu Jaunty):
status: New → In Progress
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking 'In Progress' as per https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

François, would it be possible to update the debdiff to include http://mahara.org/interaction/forum/topic.php?id=753 (CVE-2009-2171)? Are you planning on supplying a debdiff for Intrepid?

Revision history for this message
François Marier (fmarier) wrote :

Hi Jamie,

The version in jaunty/intrepid is not affected by CVE-2009-2171 since that problems was introduced in the 1.1 series of Mahara.

In terms of the intrepid package, I believe that, like with previous security fixes, we can ignore it because it has never worked at all (e.g. can't login). It's only with jaunty that Ubuntu is shipping a functional Mahara.

Cheers,
Francois

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking Intrepid back to Confirmed, since there is no debdiff.

François, thanks for your response and debdiff. Regarding Intrepid's usability, if you are up to it, feel free to fix it following https://wiki.ubuntu.com/StableReleaseUpdates with any security patches added in.

Changed in mahara (Ubuntu Intrepid):
status: In Progress → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

François, I reviewed the debdiff and it didn't quite follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. Most notably there was no CVE reference and the distribution name was simply 'jaunty' (it should have been 'jaunty-security'. We also encourage using https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines. I've fixed the first two and will upload since the debdiff has been here a while. Thanks again for your work on this! :)

Jamie Strandboge (jdstrand)
Changed in mahara (Ubuntu Jaunty):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.0.9-2ubuntu0.4

---------------
mahara (1.0.9-2ubuntu0.4) jaunty-security; urgency=low

  * SECURITY UPDATE: cross-site scripting vulnerabilities (LP: #390471)
    - debian/patches/XSS_escaping.dpatch: fix from upstream
    - CVE-2009-2170

 -- Francois Marier <email address hidden> Mon, 22 Jun 2009 15:04:27 +1200

Changed in mahara (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Revision history for this message
Chris Johnston (cjohnston) wrote :

Re-linked CVE links that were removed. Please double check them.

Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in mahara (Ubuntu Intrepid):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.