The final fixes for this bug are as follows: 1.4: https://reviews.mahara.org/#/c/1668/ 1.5: https://reviews.mahara.org/#/c/1669/ 1.6: https://reviews.mahara.org/#/c/1670/
** Also affects: mahara/1.4 Importance: Undecided Status: New ** Also affects: mahara/1.5 Importance: Undecided Status: New ** Changed in: mahara/1.4 Status: New => Fix Released ** Changed in: mahara/1.5 Status: New => Fix Released ** Changed in: mahara/1.4 Assignee: (unassigned) => Hugh Davenport (hugh-catalyst) ** Changed in: mahara/1.5 Assignee: (unassigned) => Hugh Davenport (hugh-catalyst) ** Changed in: mahara/1.4 Milestone: None => 1.4.4 ** Changed in: mahara/1.5 Milestone: None => 1.5.3 ** Visibility changed to: Public ** Changed in: mahara/1.4 Importance: Undecided => Critical ** Changed in: mahara/1.5 Importance: Undecided => Critical ** Patch added: "xmlsecbug-13.patch" https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3313736/+files/xmlsecbug-13.patch -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/1047111 Title: XEE possible in mahara Status in Mahara ePortfolio: Confirmed Status in Mahara 1.4 series: Fix Released Status in Mahara 1.5 series: Fix Released Bug description: libxml_disable_entity_loader(true) is never called in mahara, which means that xml functionalities are vulnerable to http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities can be fixed by adding libxml_disable_entity_loader(true) in init. Reported by Mike Haworth. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1047111/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp