oss-sec mailing list archives
Re: CVE request: mahara
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 12 May 2012 00:06:42 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/11/2012 02:06 PM, Moritz Muehlenhoff wrote:
Hi, please assign a CVE ID for this issue in Mahara, which was released as http://www.debian.org/security/2012/dsa-2467: | It was discovered that Mahara, the portfolio, weblog, and resume builder, | had an insecure default with regards to SAML-based authentication used | with more than one SAML identity provider. Someone with control over one | IdP could impersonate users from other IdP's. Upstream bug is: https://bugs.launchpad.net/mahara/+bug/932909 Upstream commit: http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea Cheers, Moritz
Please use CVE-2012-2351 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPrf3yAAoJEBYNRVNeJnmThg8QALAc3Alla1RpVwUjfnfEX3JK 6iaq+JtTmzTP0vQOiKXoh3B2uZEIg5B6nYPTTUhscsl3d2UA6kPa1SeU5Hr6Drm2 Hdow3YKssIn77L7TI5+uufJYDOq4/9Adzx/U6kytdMB983BjFWlCYknsmopCicx9 oXRBdOlmgfVwwKLaW9qwBbbHpUAyHreOhTmTS6gm00gBA6WaERwl6gt3QQSLzRxH iX7Oe12fj1joOmgjVddE9H+LwUweO7A0F+VpIx3247TOYTxyZvvU3pXfofW4T7OG u5HNGfgmHwC+262WC6ibVeQ1vQCwcDcORt4rbhtFctRXh/88xTD2SDK00Wqr9HQG Z17uiciD/Wk8MHk90j24nQupe77kcBMf0u95MhZrAuPWS5t8A6TYt3MB9d7DnaG1 0xJbBxf7qiXnFtipVwA/4JUQO2ez1GzUWub70p/RYyaTMhP6q6/3MYBixvcD00LB WMIj8ZVDsYqjcYUe+iThO3f+aSBQmI+wJfPZRrG1BZMzda93UpN73TD95Tv7vZ7n YXwld+w0JX/8T+rjL1IgTquWWMew8/VT/UBAsdVapNXmjOuFaVgjzCeFUTef7dH6 hxORHwuqYy/OrPI26twGui026j8KqjZQ9JQjAS/PaE/Agt3BWCl5Sfn1o2CBthww gavIXP9InWUF3jtfEcIv =sY4S -----END PGP SIGNATURE-----
Current thread:
- CVE request: mahara Moritz Muehlenhoff (May 11)
- Re: CVE request: mahara Kurt Seifried (May 11)