Security bug in mahara-1.0.4-3: upload to testing-proposed-updates?
(Please CC me on your replies, thanks!)
Hello,
The version of mahara that's in lenny (1.0.4-3) has an XSS vulnerability as
reported in the release notes:
http://mahara.org/interaction/forum/topic.php?id=198
(no Debian bug or CVE number for it at the moment)
There is a new upstream release (1.0.9) containing these fixes in
sid. However, given that it contains other non-security changes, I have also
prepared a patched 1.0.4 version for lenny.
I have attached the very small debdiff between -3 and -4 to this email.
Please let me know whether I should upload 1.0.4-4 to
testing-proposed-updates or whether you prefer to unblock the package that's
in sid.
Cheers,
Francois
diff -u mahara-1.0.4/debian/changelog mahara-1.0.4/debian/changelog
--- mahara-1.0.4/debian/changelog
+++ mahara-1.0.4/debian/changelog
@@ -1,3 +1,12 @@
+mahara (1.0.4-4) testing-proposed-updates; urgency=low
+
+ * Fix XSS issues in forum descriptions and posts, backported from
+ these upstream commits:
+ a3a3824aadcaebd6e416d5b18b1f1129c0f30cac
+ b86d471361456a9b7c58492121feb1ae85222ada
+
+ -- Francois Marier <francois@debian.org> Wed, 04 Feb 2009 14:51:32 +1300
+
mahara (1.0.4-3) testing-proposed-updates; urgency=high
* Depend on libphp-snoopy instead of using the embedded copy shipped
only in patch2:
unchanged:
--- mahara-1.0.4.orig/htdocs/interaction/forum/theme/default/view.tpl
+++ mahara-1.0.4/htdocs/interaction/forum/theme/default/view.tpl
@@ -8,7 +8,7 @@
<div id="viewforum">
<table id="forumdescription">
<tr>
- <td>{$forum->description}</td>
+ <td>{$forum->description|clean_text}</td>
{if $admin}
<td align="right" class="nowrap">
<a href="{$WWWROOT}interaction/edit.php?id={$forum->id|escape}" class="btn-editdk">{str tag="edittitle" section="interaction.forum"}</a></td>
only in patch2:
unchanged:
--- mahara-1.0.4.orig/htdocs/interaction/forum/theme/default/simplepost.tpl
+++ mahara-1.0.4/htdocs/interaction/forum/theme/default/simplepost.tpl
@@ -19,6 +19,6 @@
{$post->poster|display_name|escape}</a></h5>
<div><img src="{$WWWROOT}thumb.php?type=profileicon&maxsize=100&id={$post->poster}" alt=""></div>
<h5>{$post->postcount}</h5></td>
- <td>{$post->body}</td>
+ <td>{$post->body|clean_text}</td>
</tr>
</table>
\ No newline at end of file
Reply to: