oss-sec mailing list archives
Re: Re: CVE request: mahara 1.7.3
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 15 Oct 2013 23:50:47 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/15/2013 06:18 AM, Raphael Geissert wrote:
So, the commits... On 8 October 2013 12:16, Raphael Geissert <geissert () debian org> wrote:Hi, Multiple vulnerabilities have been discovered and fixed in the 1.7.3 release of Mahara: From [1]* Bug #1211758 Arbitrary image downloadhttps://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833* Bug #1175446 user supplied $_SERVER['HTTP_HOST'] can be used for injectionshttps://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5830* Bug #1233500 Not checking ownership of blocks before editing themhttps://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5832 And while at I found the following: https://bugs.launchpad.net/mahara/+bug/1034180 https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5831 Which doesn't appear to be mentioned in the changelog, but the bug report clearly states it was meant to be handled as a security issue. Cheers,
Please use: CVE-2013-4429 Mahara Bug #1211758 Arbitrary image download CVE-2013-4430 Mahara Bug #1175446 user supplied $_SERVER['HTTP_HOST'] can be used for injections CVE-2013-4431 Mahara Bug #1233500 Not checking ownership of blocks before editing them CVE-2013-4432 Mahara A group member with no access rights to folder can still view it - https://bugs.launchpad.net/mahara/+bug/1034180 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSXik3AAoJEBYNRVNeJnmTSCcQAJ4j2ICSEgsXCLb+SM8XOpxh 1JoZtR+D9pGNgDJszJh6MtMapqUQcXoMxBkzoUEqKwCQ+EfW6PhKtruWMsN/EFIL /HkLm309Qsp/40g1UUyuXnAtq0rproLI4cCD0dKtfzXnRsNVI5DY70nvohLDk04j VPNJNDcBWewCY9QFQZgXDlawTUSj+cW/sjJnqSQ6WuiJ67xOgAafzFKdfossKjCc hmvIOe+92f4d8fAg4g4YDMz0hcM1jkVeqSZ0wBTq0ENtGt5OjMMuW2WA53KdfgVF utKKH38U3/AGUK5AArYxD3748Q6qxsm9Nw2qBjUcTCHruSbZnC3BXjjXa+YPMR3v oooJcG1ImIdq2Lyc3gW7rLA1JCQBOX/BAAs5OyVjRmQpBCdUHXiB1e9nSt3WkPrc +blYpSFmR/61dQkHwsJAqLBVMkD1RPKTRBKx2Gge8A2z7KmgOMoP/biON//IyIdt xteDCOhLnJ/Y4IFa0prhWynnC/DUWMK86HWS5Ev3B4/6tqpIShn0hQD4OaHLp4SO FQNLSV0dVkZB9qaxZCdqAGMITx2fxxQmYSLk1ITrUNXxjtxNd9Iw5yHUKMZYvvw3 W8wi+RAi623qcuH5icEr9/i5jdWxvKNleiMn5HlIZ+nM6MJrEoPfYq0NlRHJESG0 YPvzE13gCzPdXFPEOeCo =QBLt -----END PGP SIGNATURE-----
Current thread:
- CVE request: mahara 1.7.3 Raphael Geissert (Oct 08)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 10)
- Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 10)
- Re: CVE request: mahara 1.7.3 Raphael Geissert (Oct 15)
- Re: Re: CVE request: mahara 1.7.3 Kurt Seifried (Oct 15)