[Bug 676336] Re: Blogs get deleted without sesskey check
Thanks for the patches! Sorry for the delay; I am processing these now. I might mention that in the future to follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for versions (eg, maverick should have 1.2.5-2ubuntu0.1) and to reference the bug number in the changelog (eg LP: #676336). I did both of these and have uploaded to the security ppa. I will publish once they are done building. ** Changed in: mahara (Ubuntu Maverick) Status: Confirmed = Fix Committed ** Changed in: mahara (Ubuntu Lucid) Status: Confirmed = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
This bug was fixed in the package mahara - 1.2.5-2ubuntu0.1 --- mahara (1.2.5-2ubuntu0.1) maverick-security; urgency=low * SECURITY UPDATE: cross-site scripting vulnerability - debian/patches/CVE-2011-0439.dpatch: upstream patch - CVE-2011-0439 - LP: #676336 * SECURITY UPDATE: possible cross-site request forgery (deleting blogs) - debian/patches/CVE-2011-0440.dpatch: upstream patch - CVE-2011-0440 -- Francois Marier franc...@debian.org Fri, 25 Mar 2011 16:38:51 +1300 ** Changed in: mahara (Ubuntu Maverick) Status: Fix Committed = Fix Released ** Changed in: mahara (Ubuntu Lucid) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
This bug was fixed in the package mahara - 1.2.4-1ubuntu0.2 --- mahara (1.2.4-1ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: cross-site scripting vulnerability - debian/patches/CVE-2011-0439.dpatch: upstream patch - CVE-2011-0439 - LP: #676336 * SECURITY UPDATE: possible cross-site request forgery (deleting blogs) - debian/patches/CVE-2011-0440.dpatch: upstream patch - CVE-2011-0440 -- Francois Marier franc...@debian.org Fri, 18 Mar 2011 15:51:03 +1300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
** Changed in: mahara (Ubuntu Lucid) Status: New = Confirmed ** Changed in: mahara (Ubuntu Maverick) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
François, if you could in the future include URLs to the patches, it would be much easier to reconcile them: +Origin: upstream, commit:3b1dc78070988b68fa7a8495c19957d83c204d95 maps to: http://gitorious.org/mahara/mahara/commit/3b1dc78070988b68fa7a8495c19957d83c204d95 +Origin: upstream, commit:fcee1996e56588f2f0f54f627d3b75e695b03e1b maps to: http://gitorious.org/mahara/mahara/commit/fcee1996e56588f2f0f54f627d3b75e695b03e1b Which took a fair bit of investigation to figure out. However, these look exactly clean, and the patches fix a security vulnerability, so I see no reason to delay uploading them. As Artur said, the url would be much more useful than just the commit ID. I've built with the debdiffs for lucid and maverick, and installed them. I was able to perform the mahara install and browse the site. I didn't try to reproduce the security vulnerabilities, as creating users and sending emails from inside a chroot can be difficult, but the code fixes are extremely straightforward and identical to the patches applied upstream, so I'm confident the issue is resolved. As such I've marked the Lucid and Maverick tasks as confirmed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
mahara |1.2.7-1 | natty/universe | source, all ** Changed in: mahara (Ubuntu Natty) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
MOTU SWAT ACK. Thank you for your contribution! ** Changed in: mahara (Ubuntu Natty) Status: New = Fix Committed ** Changed in: mahara (Ubuntu Natty) Assignee: (unassigned) = Artur Rona (ari-tczew) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
Please don't set status as Invalid cause natty is affected and invalid means that bug doesn't affect natty. You can resolve it by two ways: 1 - use tag LP: #676336 in d/changelog in Debian unstable and file individual report for sync 2 - if you don't have LP tag in d/changelog, please just comment package to sync here and we will handle sync. ** Changed in: mahara (Ubuntu Natty) Status: Invalid = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
Artur, sorry about that. The package to sync from sid to natty is mahara 1.2.7-1: mahara (1.2.7-1) unstable; urgency=high * New upstream security release: - CVE-2011-0439 (XSS in select boxes) - CVE-2011-0440 (CSRF when deleting blogs) * Add Italian debconf translation (closes: #606378) * Add Danish debconf translation (closes: #597766) * Bump debhelper compatibility to 8 ** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2011-0439 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
Subscribing ubuntu-security-sponsors, as this is a security update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
** Changed in: mahara (Ubuntu) Importance: Undecided = Medium ** Changed in: mahara (Ubuntu) Assignee: François Marier (fmarier) = Artur Rona (ari-tczew) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
** Also affects: mahara (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: mahara (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: mahara (Ubuntu Natty) Importance: Medium Assignee: Artur Rona (ari-tczew) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
Thank you for your time and efforts making Ubuntu better! However, there are some issues: 1) You used package version 1.2.5-2, but current natty's version is 1.2.6-2. Could you check it? 2) Natty is already development stage and you shouldn't use -security target. Please use just natty. 3) In d/changelog: - You used .dpatch for describe files, but they've been called .patch. - Please add (LP: #BUGNUMBER) to appropriate fields. 4) Improve DEP3 tags: - Origin: upstream, - please give a http link to bazaar/git/svn upstream where we can browse patch. - Please use short URL, so: Bug: https://launchpad.net/bugs/710428 Please also consider fix the rest patches with suggestions above. ** Changed in: mahara (Ubuntu Natty) Status: In Progress = Incomplete ** Changed in: mahara (Ubuntu Natty) Assignee: Artur Rona (ari-tczew) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
Hi Artur, Disregard the natty patch, I'll be filing a sync request from unstable for that one. Cheers, Francois ** Changed in: mahara (Ubuntu Natty) Status: Incomplete = Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
** Changed in: mahara/1.3 Status: Fix Committed = Fix Released ** Changed in: mahara Status: Fix Committed = Fix Released ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
This security vulnerability is now public. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
Oops, that Natty debdiff is not for natty at all, but rather for Maverick! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 676336] Re: Blogs get deleted without sesskey check
Here a deb diff for Maverick ** Patch added: Maverick debdiff https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/676336/+attachment/1938955/+files/maverick.deb.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/676336 Title: Blogs get deleted without sesskey check -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs