oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: mahara 1.7.3

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 10 Oct 2013 23:36:01 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/08/2013 04:16 AM, Raphael Geissert wrote:

Hi,

Multiple vulnerabilities have been discovered and fixed in the
1.7.3 release of Mahara:

From [1]

* Bug #1211758 Arbitrary image download * Bug #1175446 user
supplied $_SERVER['HTTP_HOST'] can be used for injections * Bug
#1233500 Not checking ownership of blocks before editing them


1st and 3rd issues are described at: 
https://mahara.org/interaction/forum/topic.php?id=5753

2nd issue is described at: 
https://mahara.org/interaction/forum/topic.php?id=5754

Could CVE ids be assigned please?

To Hugh and the other mahara security people: please chime in if
you have already requested ids to somebody else.

[1] https://launchpad.net/mahara/1.7/1.7.3#release-notes

Thanks,



Can you include links to the code fixes thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSV45BAAoJEBYNRVNeJnmT0VUQANV2AX43o2CFzBvjeE8+po/r
shRK+ItXKiQCb5+xQ5/h+Qp0yAZheaFu7uKlTjF+NVLgFaFux9UG52IZvQnap167
Au0SyuQA+jmKVWTtHI+ShWU01P1dLQ/hRTtw8SKNF+IcUCUNOoVLM6Q6qL7k6RDg
5R44srOATe9p9oV8171oDCBIpsgkLLaVCZkx2VgWZwZUgTmTqiPEDp+kXocfCSAN
u1QGWacsD1oMFDnFhOwBwpz+zhLnY8WW/Bhy8/y/rkK1AAYbsGjRLn2jOpCquOzR
38DQllD6P9LjFVUtaNRvPY3X9t3nyENzWYulDzPxZSrPB9nRH5HXhj13qyFsolCV
5s6GszRU/udB96aKyXPiKeSl7SwrC+sc+EoYekyCvKUWeANsfycqJi9dlXjCY9W2
79zdZLKoeCUFPGiiBrH3Bk5qpYnbIMZNUUr/CbjRAOf2BxuJ/Qnw4AJ4zANroP2w
J7j1k2waGy4rAMh1yqDNW86wyc90oices93Q5FdmdI2BB3ed+FzlQQnZay8S7jta
Boya1598kta36LmAXJEQanIFPN96dd/Cu9SlBZNAKU4IWkWimzFMWhZ0fLJVUy/V
tLc9OzBMz7k5vXLbkt2UbisZzZ7c40vT43tIHEuwpPni02QwqtALe56dWx35ZP20
oCp13xeUlSuA286rlTkL
=K69/
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: