oss-sec mailing list archives

CVE request: mahara 1.7.3

From: Raphael Geissert <geissert () debian org>
Date: Tue, 8 Oct 2013 12:16:02 +0200

Hi,

Multiple vulnerabilities have been discovered and fixed in the 1.7.3
release of Mahara:

From [1]
* Bug #1211758 Arbitrary image download
* Bug #1175446 user supplied $_SERVER['HTTP_HOST'] can be used for injections
* Bug #1233500 Not checking ownership of blocks before editing them


1st and 3rd issues are described at:
https://mahara.org/interaction/forum/topic.php?id=5753

2nd issue is described at:
https://mahara.org/interaction/forum/topic.php?id=5754

Could CVE ids be assigned please?

To Hugh and the other mahara security people: please chime in if you
have already requested ids to somebody else.

[1] https://launchpad.net/mahara/1.7/1.7.3#release-notes

Thanks,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Current thread:

CVE request: mahara 1.7.3 Raphael Geissert (Oct 08)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 10)
- Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 10)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 15)
  - Re: Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 15)