oss-sec mailing list archives
CVE request: mahara 1.7.3
From: Raphael Geissert <geissert () debian org>
Date: Tue, 8 Oct 2013 12:16:02 +0200
Hi, Multiple vulnerabilities have been discovered and fixed in the 1.7.3 release of Mahara:
From [1] * Bug #1211758 Arbitrary image download * Bug #1175446 user supplied $_SERVER['HTTP_HOST'] can be used for injections * Bug #1233500 Not checking ownership of blocks before editing them
1st and 3rd issues are described at: https://mahara.org/interaction/forum/topic.php?id=5753 2nd issue is described at: https://mahara.org/interaction/forum/topic.php?id=5754 Could CVE ids be assigned please? To Hugh and the other mahara security people: please chime in if you have already requested ids to somebody else. [1] https://launchpad.net/mahara/1.7/1.7.3#release-notes Thanks, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: mahara 1.7.3 Raphael Geissert (Oct 08)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 10)
- Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 10)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 15)
- Re: Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 15)