Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/lucid-security/mahara
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

20. By Melissa Draper

* SECURITY UPDATE: Fix default config for sites with multiple SAML instances
  - Default configuration changed to prevent impersonation (LP: #958841)
  - debian/patches/saml_multi_default_config.patch: upstream patch

19. By Melissa Draper

* SECURITY UPDATE: XSS in unvalidated URI attributes
  - Added a filter to sanitise user input urls (LP: #888358)
  - debian/patches/CVE-2011-2771.patch: upstream patch
  - CVE-2011-2771

* SECURITY UPDATE: DoS attack via invalid or excessively large images
  - Added a check to evaluate available memory before processing
    (LP: #888358)
  - debian/patches/CVE-2011-2772.patch: upstream patch
  - CVE-2011-2772

* SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
  them to an institution
  - Session check added (LP: #888358)
  - debian/patches/CVE-2011-2773.patch: upstream patch
  - CVE-2011-2773

* SECURITY UPDATE: Prevent masquerading users from jumping as others
  - Added a check to prevent jumping as other users. (LP: #888358)
  - debian/patches/mnet_masquerading.patch: upstream patch

18. By François Marier

* SECURITY UPDATE: fixes to session key validation (CSRF)
  - debian/patches/CVE-2011-1403.patch: upstream patch

* SECURITY UPDATE: privilege escalations
  - debian/patches/CVE-2011-1402.patch: upstream patch

* SECURITY UPDATE: information disclosure in AJAX calls
  - debian/patches/CVE-2011-1404.patch: upstream patch

* SECURITY UPDATE: https to http downgrade
  - debian/patches/CVE-2011-1406.patch: upstream patch

* SECURITY UPDATE: sanitisation of HTML emails
  - debian/patches/CVE-2011-1405.patch: upstream patch

17. By François Marier

* SECURITY UPDATE: cross-site scripting vulnerability
  - debian/patches/CVE-2011-0439.dpatch: upstream patch
  - CVE-2011-0439
  - LP: #676336

* SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
  - debian/patches/CVE-2011-0440.dpatch: upstream patch
  - CVE-2011-0440

16. By François Marier

* SECURITY UPDATE: multiple cross-site scripting vulnerabilities
  - debian/patches/CVE-2010-1667.patch: upstream patch
  - CVE-2010-1667

* SECURITY UPDATE: multiple cross-site request forgery vulnerabilities
  - debian/patches/CVE-2010-1668.patch: upstream patch
  - CVE-2010-1668

  - debian/patches/CVE-2010-1669.patch: upstream patch
  - CVE-2010-1669

* SECURITY UPDATE: unsafe auth plugins configuration options
  - debian/patches/CVE-2010-1670.patch: upstream patch
  - CVE-2010-1670

* SECURITY UPDATE: IE-only cross-site scripting bug in HTML Purifier
  - depend on php-htmlpurifier and stop using the bundled version
  - CVE-2010-2479

15. By François Marier

* New upstream release
  - fix for SQL injection (CVE-2010-0400)

14. By Chuck Short

debian/control: Dont recommend mysql-server-5.0.

13. By François Marier

Fix postrm script so that Mahara can be uninstalled

12. By François Marier

* New upstream release
  - Privilege escalation fix (CVE-2009-3298)
  - XSS fix (CVE-2009-3299)

* Bump Standards-Version up to 3.8.3
* Switch packaging license to refer to GPL-3
* debian/mahara.config: Move -e to a separate line to silence lintian

11. By Jamie Strandboge

[ Francois Marier ]
* SECURITY UPDATE: privilege escalation (LP: #463082)
  - debian/patches/CVE-2009-3298.dpatch: fix from upstream
  - CVE-2009-3298
* SECURITY UPDATE: cross-site scripting vulnerability (LP: #463083)
  - debian/patches/CVE-2009-3299.dpatch: fix from upstream
  - CVE-2009-3299
* Add dpatch support

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.