oss-sec mailing list archives
Re: CVE request: mahara 1.7.3
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 10 Oct 2013 23:36:01 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/08/2013 04:16 AM, Raphael Geissert wrote:
Hi, Multiple vulnerabilities have been discovered and fixed in the 1.7.3 release of Mahara: From [1]* Bug #1211758 Arbitrary image download * Bug #1175446 user supplied $_SERVER['HTTP_HOST'] can be used for injections * Bug #1233500 Not checking ownership of blocks before editing them1st and 3rd issues are described at: https://mahara.org/interaction/forum/topic.php?id=5753 2nd issue is described at: https://mahara.org/interaction/forum/topic.php?id=5754 Could CVE ids be assigned please? To Hugh and the other mahara security people: please chime in if you have already requested ids to somebody else. [1] https://launchpad.net/mahara/1.7/1.7.3#release-notes Thanks,
Can you include links to the code fixes thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSV45BAAoJEBYNRVNeJnmT0VUQANV2AX43o2CFzBvjeE8+po/r shRK+ItXKiQCb5+xQ5/h+Qp0yAZheaFu7uKlTjF+NVLgFaFux9UG52IZvQnap167 Au0SyuQA+jmKVWTtHI+ShWU01P1dLQ/hRTtw8SKNF+IcUCUNOoVLM6Q6qL7k6RDg 5R44srOATe9p9oV8171oDCBIpsgkLLaVCZkx2VgWZwZUgTmTqiPEDp+kXocfCSAN u1QGWacsD1oMFDnFhOwBwpz+zhLnY8WW/Bhy8/y/rkK1AAYbsGjRLn2jOpCquOzR 38DQllD6P9LjFVUtaNRvPY3X9t3nyENzWYulDzPxZSrPB9nRH5HXhj13qyFsolCV 5s6GszRU/udB96aKyXPiKeSl7SwrC+sc+EoYekyCvKUWeANsfycqJi9dlXjCY9W2 79zdZLKoeCUFPGiiBrH3Bk5qpYnbIMZNUUr/CbjRAOf2BxuJ/Qnw4AJ4zANroP2w J7j1k2waGy4rAMh1yqDNW86wyc90oices93Q5FdmdI2BB3ed+FzlQQnZay8S7jta Boya1598kta36LmAXJEQanIFPN96dd/Cu9SlBZNAKU4IWkWimzFMWhZ0fLJVUy/V tLc9OzBMz7k5vXLbkt2UbisZzZ7c40vT43tIHEuwpPni02QwqtALe56dWx35ZP20 oCp13xeUlSuA286rlTkL =K69/ -----END PGP SIGNATURE-----
Current thread:
- CVE request: mahara 1.7.3 Raphael Geissert (Oct 08)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 10)
- Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 10)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 15)
- Re: Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 15)