Blogs get deleted without sesskey check

Please note that both debdiffs are currently embargoed and should not be released while this bug is private.

We'll change the bug status once the upstream release has happened and therefore made these problems public.

This security vulnerability is now public.

Oops, that Natty debdiff is not for natty at all, but rather for Maverick!

Here a deb diff for Maverick

Subscribing ubuntu-security-sponsors, as this is a security update.

Thank you for your time and efforts making Ubuntu better! However, there are some issues:

1) You used package version 1.2.5-2, but current natty's version is 1.2.6-2. Could you check it?

2) Natty is already development stage and you shouldn't use -security target. Please use just natty.

3) In d/changelog:
  - You used .dpatch for describe files, but they've been called .patch.
  - Please add (LP: #BUGNUMBER) to appropriate fields.

4) Improve DEP3 tags:
  - Origin: upstream, - please give a http link to bazaar/git/svn upstream where we can browse patch.
  - Please use short URL, so: Bug: https://launchpad.net/bugs/710428

Please also consider fix the rest patches with suggestions above.

Hi Artur,

Disregard the natty patch, I'll be filing a sync request from unstable for that one.

Cheers,
Francois

Please don't set status as Invalid cause natty is affected and invalid means that bug doesn't affect natty. You can resolve it by two ways:
1 - use tag LP: #676336 in d/changelog in Debian unstable and file individual report for sync
2 - if you don't have LP tag in d/changelog, please just comment package to sync here and we will handle sync.

Artur, sorry about that.

The package to sync from sid to natty is mahara 1.2.7-1:

mahara (1.2.7-1) unstable; urgency=high

  * New upstream security release:
    - CVE-2011-0439 (XSS in select boxes)
    - CVE-2011-0440 (CSRF when deleting blogs)

  * Add Italian debconf translation (closes: #606378)
  * Add Danish debconf translation (closes: #597766)
  * Bump debhelper compatibility to 8

MOTU SWAT ACK.

Thank you for your contribution!

    mahara | 1.2.7-1 | natty/universe | source, all

François, if you could in the future include URLs to the patches, it would be much easier to reconcile them:

+Origin: upstream, commit:3b1dc78070988b68fa7a8495c19957d83c204d95

maps to:

http://gitorious.org/mahara/mahara/commit/3b1dc78070988b68fa7a8495c19957d83c204d95

+Origin: upstream, commit:fcee1996e56588f2f0f54f627d3b75e695b03e1b

maps to:

http://gitorious.org/mahara/mahara/commit/fcee1996e56588f2f0f54f627d3b75e695b03e1b

Which took a fair bit of investigation to figure out.

However, these look exactly clean, and the patches fix a security vulnerability, so I see no reason to delay uploading them.

As Artur said, the url would be much more useful than just the commit ID.

I've built with the debdiffs for lucid and maverick, and installed them. I was able to perform the mahara install and browse the site. I didn't try to reproduce the security vulnerabilities, as creating users and sending emails from inside a chroot can be difficult, but the code fixes are extremely straightforward and identical to the patches applied upstream, so I'm confident the issue is resolved.

As such I've marked the Lucid and Maverick tasks as confirmed.

Thanks for the patches! Sorry for the delay; I am processing these now. I might mention that in the future to follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for versions (eg, maverick should have 1.2.5-2ubuntu0.1) and to reference the bug number in the changelog (eg LP: #676336). I did both of these and have uploaded to the security ppa. I will publish once they are done building.

This bug was fixed in the package mahara - 1.2.5-2ubuntu0.1

---------------
mahara (1.2.5-2ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: cross-site scripting vulnerability
    - debian/patches/CVE-2011-0439.dpatch: upstream patch
    - CVE-2011-0439
    - LP: #676336
  * SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
    - debian/patches/CVE-2011-0440.dpatch: upstream patch
    - CVE-2011-0440
 -- Francois Marier <email address hidden> Fri, 25 Mar 2011 16:38:51 +1300

This bug was fixed in the package mahara - 1.2.4-1ubuntu0.2

---------------
mahara (1.2.4-1ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: cross-site scripting vulnerability
    - debian/patches/CVE-2011-0439.dpatch: upstream patch
    - CVE-2011-0439
    - LP: #676336

  * SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
    - debian/patches/CVE-2011-0440.dpatch: upstream patch
    - CVE-2011-0440
 -- Francois Marier <email address hidden> Fri, 18 Mar 2011 15:51:03 +1300