The final fixes for this bug are as follows:
1.4: https://reviews.mahara.org/#/c/1668/
1.5: https://reviews.mahara.org/#/c/1669/
1.6: https://reviews.mahara.org/#/c/1670/
** Also affects: mahara/1.4
Importance: Undecided
Status: New
** Also affects: mahara/1.5
Importance: Undecided
Status: New
** Changed in: mahara/1.4
Status: New => Fix Released
** Changed in: mahara/1.5
Status: New => Fix Released
** Changed in: mahara/1.4
Assignee: (unassigned) => Hugh Davenport (hugh-catalyst)
** Changed in: mahara/1.5
Assignee: (unassigned) => Hugh Davenport (hugh-catalyst)
** Changed in: mahara/1.4
Milestone: None => 1.4.4
** Changed in: mahara/1.5
Milestone: None => 1.5.3
** Visibility changed to: Public
** Changed in: mahara/1.4
Importance: Undecided => Critical
** Changed in: mahara/1.5
Importance: Undecided => Critical
** Patch added: "xmlsecbug-13.patch"
https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3313736/+files/xmlsecbug-13.patch
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1047111
Title:
XEE possible in mahara
Status in Mahara ePortfolio:
Confirmed
Status in Mahara 1.4 series:
Fix Released
Status in Mahara 1.5 series:
Fix Released
Bug description:
libxml_disable_entity_loader(true) is never called in mahara, which
means that xml functionalities are vulnerable to
http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
can be fixed by adding libxml_disable_entity_loader(true) in init.
Reported by Mike Haworth.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1047111/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
