lp:ubuntu/lucid-security/mahara

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

20. By Melissa Draper on 2012-03-21

* SECURITY UPDATE: Fix default config for sites with multiple SAML instances
  - Default configuration changed to prevent impersonation (LP: #958841)
  - debian/patches/saml_multi_default_config.patch: upstream patch

19. By Melissa Draper on 2011-11-02

* SECURITY UPDATE: XSS in unvalidated URI attributes
  - Added a filter to sanitise user input urls (LP: #888358)
  - debian/patches/CVE-2011-2771.patch: upstream patch
  - CVE-2011-2771

* SECURITY UPDATE: DoS attack via invalid or excessively large images
  - Added a check to evaluate available memory before processing
    (LP: #888358)
  - debian/patches/CVE-2011-2772.patch: upstream patch
  - CVE-2011-2772

* SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
  them to an institution
  - Session check added (LP: #888358)
  - debian/patches/CVE-2011-2773.patch: upstream patch
  - CVE-2011-2773

* SECURITY UPDATE: Prevent masquerading users from jumping as others
  - Added a check to prevent jumping as other users. (LP: #888358)
  - debian/patches/mnet_masquerading.patch: upstream patch

18. By François Marier on 2011-05-10

* SECURITY UPDATE: fixes to session key validation (CSRF)
  - debian/patches/CVE-2011-1403.patch: upstream patch

* SECURITY UPDATE: privilege escalations
  - debian/patches/CVE-2011-1402.patch: upstream patch

* SECURITY UPDATE: information disclosure in AJAX calls
  - debian/patches/CVE-2011-1404.patch: upstream patch

* SECURITY UPDATE: https to http downgrade
  - debian/patches/CVE-2011-1406.patch: upstream patch

* SECURITY UPDATE: sanitisation of HTML emails
  - debian/patches/CVE-2011-1405.patch: upstream patch

17. By François Marier on 2011-03-18

* SECURITY UPDATE: cross-site scripting vulnerability
  - debian/patches/CVE-2011-0439.dpatch: upstream patch
  - CVE-2011-0439
  - LP: #676336

* SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
  - debian/patches/CVE-2011-0440.dpatch: upstream patch
  - CVE-2011-0440

16. By François Marier on 2010-07-08

* SECURITY UPDATE: multiple cross-site scripting vulnerabilities
  - debian/patches/CVE-2010-1667.patch: upstream patch
  - CVE-2010-1667

* SECURITY UPDATE: multiple cross-site request forgery vulnerabilities
  - debian/patches/CVE-2010-1668.patch: upstream patch
  - CVE-2010-1668

* SECURITY UPDATE: SQL injection
  - debian/patches/CVE-2010-1669.patch: upstream patch
  - CVE-2010-1669

* SECURITY UPDATE: unsafe auth plugins configuration options
  - debian/patches/CVE-2010-1670.patch: upstream patch
  - CVE-2010-1670

* SECURITY UPDATE: IE-only cross-site scripting bug in HTML Purifier
  - depend on php-htmlpurifier and stop using the bundled version
  - CVE-2010-2479

15. By François Marier on 2010-04-06

* New upstream release
  - fix for SQL injection (CVE-2010-0400)

14. By Chuck Short on 2010-04-07

debian/control: Dont recommend mysql-server-5.0.

13. By François Marier on 2009-11-27

Fix postrm script so that Mahara can be uninstalled

12. By François Marier on 2009-10-30

* New upstream release
  - Privilege escalation fix (CVE-2009-3298)
  - XSS fix (CVE-2009-3299)

* Bump Standards-Version up to 3.8.3
* Switch packaging license to refer to GPL-3
* debian/mahara.config: Move -e to a separate line to silence lintian

11. By Jamie Strandboge on 2009-11-04

[ Francois Marier ]
* SECURITY UPDATE: privilege escalation (LP: #463082)
  - debian/patches/CVE-2009-3298.dpatch: fix from upstream
  - CVE-2009-3298
* SECURITY UPDATE: cross-site scripting vulnerability (LP: #463083)
  - debian/patches/CVE-2009-3299.dpatch: fix from upstream
  - CVE-2009-3299
* Add dpatch support