Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAA7hUgH2+YdcjJ7z5Gc+Pb2F6KpohSjX120H98TXWBG4cHcbGQ@mail.gmail.com>
Date: Tue, 15 Oct 2013 14:18:48 +0200
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: mahara 1.7.3

So, the commits...

On 8 October 2013 12:16, Raphael Geissert <geissert@...ian.org> wrote:
> Hi,
>
> Multiple vulnerabilities have been discovered and fixed in the 1.7.3
> release of Mahara:
>
> From [1]
>> * Bug #1211758 Arbitrary image download

https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833

>> * Bug #1175446 user supplied $_SERVER['HTTP_HOST'] can be used for injections

https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5830

>> * Bug #1233500 Not checking ownership of blocks before editing them

https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5832


And while at I found the following:

https://bugs.launchpad.net/mahara/+bug/1034180
https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5831

Which doesn't appear to be mentioned in the changelog, but the bug
report clearly states it was meant to be handled as a security issue.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.