Debian: DSA-2246-1: mahara security update

    Date29 May 2011
    CategoryDebian
    35
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities were discovered in mahara, an electronic portfolio, weblog, and resume builder. The following Common Vulnerabilities and Exposures project ids identify them:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2246-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                         Giuseppe Iuculano
    May 29, 2011                           http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : mahara
    Vulnerability  : several vulnerabilities
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2011-1402 CVE-2011-1403 CVE-2011-1404 CVE-2011-1405 
                     CVE-2011-1406
    
    
    Several vulnerabilities were discovered in mahara, an electronic portfolio,
    weblog, and resume builder. The following Common Vulnerabilities and
    Exposures project ids identify them:
    
    
    CVE-2011-1402
    
      It was discovered that previous versions of Mahara did not check user
      credentials before adding a secret URL to a view or suspending a user.
    
    
    CVE-2011-1403
    
      Due to a misconfiguration of the Pieform package in Mahara, the cross-site
      request forgery protection mechanism that Mahara relies on to harden its
      form was not working and was essentially disabled.
      This is a critical vulnerability which could allow attackers to trick other
      users (for example administrators) into performing malicious actions on
      behalf of the attacker. Most Mahara forms are vulnerable.
    
    
    CVE-2011-1404
    
      Many of the JSON structures returned by Mahara for its AJAX interactions
      included more information than what ought to be disclosed to the logged in
      user. New versions of Mahara limit this information to what is necessary for
      each page.
    
    
    CVE-2011-1405
    
      Previous versions of Mahara did not escape the contents of HTML emails sent
      to users. Depending on the filters enabled in one's mail reader, it could
      lead to cross-site scripting attacks.
    
    
    CVE-2011-1406 
    
      It has been pointed out to us that if Mahara is configured (through its
      wwwroot variable) to use HTTPS, it will happily let users login via the HTTP
      version of the site if the web server is configured to serve content over
      both protocol. The new version of Mahara will, when the wwwroot points to an
      HTTPS URL, automatically redirect to HTTPS if it detects that it is being
      run over HTTP.
    
      We recommend that sites wanting to run Mahara over HTTPS make sure that
      their web server configuration does not allow the serving of content over
      HTTP and merely redirects to the secure version. We also suggest that site
      administrators consider adding the HSTS headers
      (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) to their web
      server configuration.
    
    
    For the oldstable distribution (lenny), these problems have been fixed in
    version 1.0.4-4+lenny10.
    
    For the stable distribution (squeeze), these problems have been fixed in
    version 1.2.6-2+squeeze2.
    
    For the testing distribution (wheezy), these problems have been fixed in
    version 1.3.6-1.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 1.3.6-1.
    
    We recommend that you upgrade your mahara packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"5","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":11.11,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.