(Please CC me on your replies, thanks!) Hello,
The version of mahara that's in lenny (1.0.4-3) has an XSS vulnerability as reported in the release notes: http://mahara.org/interaction/forum/topic.php?id=198 (no Debian bug or CVE number for it at the moment) There is a new upstream release (1.0.9) containing these fixes in sid. However, given that it contains other non-security changes, I have also prepared a patched 1.0.4 version for lenny. I have attached the very small debdiff between -3 and -4 to this email. Please let me know whether I should upload 1.0.4-4 to testing-proposed-updates or whether you prefer to unblock the package that's in sid. Cheers, Francois
diff -u mahara-1.0.4/debian/changelog mahara-1.0.4/debian/changelog --- mahara-1.0.4/debian/changelog +++ mahara-1.0.4/debian/changelog @@ -1,3 +1,12 @@ +mahara (1.0.4-4) testing-proposed-updates; urgency=low + + * Fix XSS issues in forum descriptions and posts, backported from + these upstream commits: + a3a3824aadcaebd6e416d5b18b1f1129c0f30cac + b86d471361456a9b7c58492121feb1ae85222ada + + -- Francois Marier <[email protected]> Wed, 04 Feb 2009 14:51:32 +1300 + mahara (1.0.4-3) testing-proposed-updates; urgency=high * Depend on libphp-snoopy instead of using the embedded copy shipped only in patch2: unchanged: --- mahara-1.0.4.orig/htdocs/interaction/forum/theme/default/view.tpl +++ mahara-1.0.4/htdocs/interaction/forum/theme/default/view.tpl @@ -8,7 +8,7 @@ <div id="viewforum"> <table id="forumdescription"> <tr> - <td>{$forum->description}</td> + <td>{$forum->description|clean_text}</td> {if $admin} <td align="right" class="nowrap"> <a href="{$WWWROOT}interaction/edit.php?id={$forum->id|escape}" class="btn-editdk">{str tag="edittitle" section="interaction.forum"}</a></td> only in patch2: unchanged: --- mahara-1.0.4.orig/htdocs/interaction/forum/theme/default/simplepost.tpl +++ mahara-1.0.4/htdocs/interaction/forum/theme/default/simplepost.tpl @@ -19,6 +19,6 @@ {$post->poster|display_name|escape}</a></h5> <div><img src="{$WWWROOT}thumb.php?type=profileicon&maxsize=100&id={$post->poster}" alt=""></div> <h5>{$post->postcount}</h5></td> - <td>{$post->body}</td> + <td>{$post->body|clean_text}</td> </tr> </table> \ No newline at end of file
