Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mahara It provides a fix, cherry-picked from upstream repository, for a XSS vulnerability as described in bug #695789 unblock mahara/1.5.1-3.1 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
diff -Nru mahara-1.5.1/debian/changelog mahara-1.5.1/debian/changelog --- mahara-1.5.1/debian/changelog 2012-11-16 09:33:12.000000000 +0100 +++ mahara-1.5.1/debian/changelog 2012-12-23 15:02:25.000000000 +0100 @@ -1,3 +1,14 @@ +mahara (1.5.1-3.1) unstable; urgency=high + + * Non-maintainer upload. + * SECURITY UPDATE: Fix a cross-site scripting (XSS) vulnerability + which allowed remote attackers to inject arbitrary web script or + HTML via the query parameter. + - debian/patches/CVE-2012-2253.patch + - Closes: #695789 + + -- Luca Falavigna <dktrkr...@debian.org> Sun, 23 Dec 2012 14:53:41 +0100 + mahara (1.5.1-3) unstable; urgency=high * SECURITY UPDATE: Disable XML entity parsing to prevent XEE diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2253.patch mahara-1.5.1/debian/patches/CVE-2012-2253.patch --- mahara-1.5.1/debian/patches/CVE-2012-2253.patch 1970-01-01 01:00:00.000000000 +0100 +++ mahara-1.5.1/debian/patches/CVE-2012-2253.patch 2012-12-23 15:02:25.000000000 +0100 @@ -0,0 +1,24 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Cross-site scripting (XSS) vulnerability +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1079498 + + CVE-2012-2253 + + Cross-site scripting (XSS) vulnerability which allowed remote + attackers to inject arbitrary web script or HTML via the query + parameter. + +Index: mahara/htdocs/lib/web.php +=================================================================== +--- mahara.orig/htdocs/lib/web.php 2012-12-23 14:44:57.009756577 +0100 ++++ mahara/htdocs/lib/web.php 2012-12-23 14:47:02.405760418 +0100 +@@ -3273,7 +3273,7 @@ + } + else { + $return .= '">' +- . '<a href="' . $url . '" title="' . $title ++ . '<a href="' . hsc($url) . '" title="' . $title + . '">' . $text . '</a></span>'; + } + diff -Nru mahara-1.5.1/debian/patches/series mahara-1.5.1/debian/patches/series --- mahara-1.5.1/debian/patches/series 2012-11-16 09:32:59.000000000 +0100 +++ mahara-1.5.1/debian/patches/series 2012-12-23 15:02:25.000000000 +0100 @@ -10,3 +10,4 @@ CVE-2012-2244-0003.patch CVE-2012-2246.patch CVE-2012-2247.patch +CVE-2012-2253.patch