oss-sec mailing list archives
Re: CVE request: mahara 1.7.3
From: Raphael Geissert <geissert () debian org>
Date: Tue, 15 Oct 2013 14:18:48 +0200
So, the commits... On 8 October 2013 12:16, Raphael Geissert <geissert () debian org> wrote:
Hi, Multiple vulnerabilities have been discovered and fixed in the 1.7.3 release of Mahara: From [1]* Bug #1211758 Arbitrary image download
https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833
* Bug #1175446 user supplied $_SERVER['HTTP_HOST'] can be used for injections
https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5830
* Bug #1233500 Not checking ownership of blocks before editing them
https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5832 And while at I found the following: https://bugs.launchpad.net/mahara/+bug/1034180 https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5831 Which doesn't appear to be mentioned in the changelog, but the bug report clearly states it was meant to be handled as a security issue. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: mahara 1.7.3 Raphael Geissert (Oct 08)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 10)
- Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 10)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 15)
- Re: Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 15)