Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4FADFDF2.5050703@redhat.com>
Date: Sat, 12 May 2012 00:06:42 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Muehlenhoff <jmm@...ian.org>
Subject: Re: CVE request: mahara

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/11/2012 02:06 PM, Moritz Muehlenhoff wrote:
> Hi, please assign a CVE ID for this issue in Mahara, which was
> released as http://www.debian.org/security/2012/dsa-2467:
> 
> | It was discovered that Mahara, the portfolio, weblog, and resume
> builder, | had an insecure default with regards to SAML-based
> authentication used | with more than one SAML identity provider.
> Someone with control over one | IdP could impersonate users from
> other IdP's.
> 
> Upstream bug is: https://bugs.launchpad.net/mahara/+bug/932909
> 
> Upstream commit: 
> http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea
>
>  Cheers, Moritz

Please use CVE-2012-2351 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPrf3yAAoJEBYNRVNeJnmThg8QALAc3Alla1RpVwUjfnfEX3JK
6iaq+JtTmzTP0vQOiKXoh3B2uZEIg5B6nYPTTUhscsl3d2UA6kPa1SeU5Hr6Drm2
Hdow3YKssIn77L7TI5+uufJYDOq4/9Adzx/U6kytdMB983BjFWlCYknsmopCicx9
oXRBdOlmgfVwwKLaW9qwBbbHpUAyHreOhTmTS6gm00gBA6WaERwl6gt3QQSLzRxH
iX7Oe12fj1joOmgjVddE9H+LwUweO7A0F+VpIx3247TOYTxyZvvU3pXfofW4T7OG
u5HNGfgmHwC+262WC6ibVeQ1vQCwcDcORt4rbhtFctRXh/88xTD2SDK00Wqr9HQG
Z17uiciD/Wk8MHk90j24nQupe77kcBMf0u95MhZrAuPWS5t8A6TYt3MB9d7DnaG1
0xJbBxf7qiXnFtipVwA/4JUQO2ez1GzUWub70p/RYyaTMhP6q6/3MYBixvcD00LB
WMIj8ZVDsYqjcYUe+iThO3f+aSBQmI+wJfPZRrG1BZMzda93UpN73TD95Tv7vZ7n
YXwld+w0JX/8T+rjL1IgTquWWMew8/VT/UBAsdVapNXmjOuFaVgjzCeFUTef7dH6
hxORHwuqYy/OrPI26twGui026j8KqjZQ9JQjAS/PaE/Agt3BWCl5Sfn1o2CBthww
gavIXP9InWUF3jtfEcIv
=sY4S
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.