-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 12 Nov 2012 04:08:09 +0000
Source: mahara
Binary: mahara mahara-apache2 mahara-mediaplayer
Architecture: source all
Version: 1.5.1-3
Distribution: unstable
Urgency: high
Maintainer: Mahara Packaging Team <mahara-packaging@lists.launchpad.net>
Changed-By: Melissa Draper <melissa@catalyst.net.nz>
Description:
mahara - Electronic portfolio, weblog, and resume builder
mahara-apache2 - Electronic portfolio, weblog, and resume builder - apache2 config
mahara-mediaplayer - Electronic portfolio, weblog, and resume builder - internal media
Changes:
mahara (1.5.1-3) unstable; urgency=high
.
* SECURITY UPDATE: Disable XML entity parsing to prevent XEE
- debian/patches/CVE-2012-2239.patch: upstream patch
.
* SECURITY UPDATE: Multiple cross-site scripting vulnerabilities
- Content passed to the error message was not escaped
- Escape pieform errors displayed to users
- debian/patches/CVE-2012-2243-0001.patch: upstream patch
- XHTML files prone to embedded javascript
- Prevent uploaded xhtml files from displaying verbatim
- debian/patches/CVE-2012-2243-0002.patch: upstream patch
.
* SECURITY UPDATE: Arbitrary file execution via clam path
- Remove executable bit from existing uploaded files
- debian/patches/CVE-2012-2244-0001.patch: upstream patch
- Ensure future files will not be executable
- debian/patches/CVE-2012-2244-0002.patch: upstream patch
- Remove direct path option from web configuration
- debian/patches/CVE-2012-2244-0003.patch: upstream patch
.
* SECURITY UPDATE: Prevent click-jacking attacks
- Add a HTTP header of X-Frame-Options to every page
- debian/patches/CVE-2012-2246.patch: upstream patch
.
* SECURITY UPDATE: Prevent SVG images being displayed
- SVG images displayed inline
- Adds SVG files to the list of files to not display by default
- debian/patches/CVE-2012-2247.patch: upstream patch
Checksums-Sha1:
19c03cc1465399a695ba585be1aa585e3a2d86bf 2021 mahara_1.5.1-3.dsc
6b687416d8ecf696ac464ebea2529eddfe73d1bf 33764 mahara_1.5.1-3.debian.tar.gz
ccf53024de9cc2857a8ff3b66d63518a3f6de00b 2720760 mahara_1.5.1-3_all.deb
db84cafef771c92fb2eb248b45b714de68cee19f 16510 mahara-apache2_1.5.1-3_all.deb
555aa2778d4fb748660ed98b790494c832c0177e 449416 mahara-mediaplayer_1.5.1-3_all.deb
Checksums-Sha256:
0f8b597f517d29e1a18d21379c5570b1d4a789138e73c66c08ab2cce8ff9a14a 2021 mahara_1.5.1-3.dsc
754bb8467589c810f8656cb5a565c5173dcf35da4db8ef8a529bbd9d2f9b6864 33764 mahara_1.5.1-3.debian.tar.gz
951a474347eee273e9b6df4869ee1366151d31cb7096a71ffacf2747c21ce6a8 2720760 mahara_1.5.1-3_all.deb
797ebcac49db0adb8cbd8b205230108358a577f0cf968e14fd46ab014cdc72bf 16510 mahara-apache2_1.5.1-3_all.deb
4dacf0d9f78ac9ddd96dab35b566166b1b447619e5993adec9177d745b2c5776 449416 mahara-mediaplayer_1.5.1-3_all.deb
Files:
25f28b8c028e86cb766d8c5ee3b3a738 2021 web optional mahara_1.5.1-3.dsc
492f9437e3841613501b9528287d17ab 33764 web optional mahara_1.5.1-3.debian.tar.gz
27b805f6fe8fdef35b0cb36f0333e2cf 2720760 web optional mahara_1.5.1-3_all.deb
ac3a4d04f80448274dbc53bf3575c5f0 16510 web optional mahara-apache2_1.5.1-3_all.deb
cb1999605b5bde2e7f2ca08641565628 449416 contrib/web optional mahara-mediaplayer_1.5.1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJQpgS0AAoJEE0knZsj5vw68F0P/R9GuK66nLna7TCAvTiFMahi
Ux0BUx8dSyvklC1sIsafA6TstZM+q11kxF8XLWepfYKb2Rn/FPFVT+7/R+LpbbNl
t/Qbu3tcExN6HgEaa6M4XmClv/6X4zbZ6JXX9wagnQ+IYf9SXcSUshAkalr1AO07
XmByF0hamV1g5wffwPt7kdrq5E/jbfjmZNtRNKQXcGux8Gt34ZulBcUQMwAKkt4e
ZmA3wEsCNjwQyHVxNDNdE1Z9/9gkj+e6j5a/4cwfmhzqMGiFLv/iRftGu3gIQxBI
voboSQwjYy7M5cGyAk4uKjrGpFWLPCbKhw5ZRqlHgE+cLvdZ8LGr6pbikROqO9y3
sXGm0q86o+EE9XNEEH98z2EEzwEFDgAG2hXFK1gJcrQkXaY3o18bcmmjC5vHPob+
MgTaBqQIJW2Rg3XLbQ4Oizv6X0Hj5oV6XU+dWBu6dFHqUpmQz0xvdP02zEqUST4I
tQwp5M5G3/dbbzfI8hEz+r9hznHN1fNOmN4phyrMuHuglAX4pK85z24aNipdADHy
wdCwLgZpf28iAwb0TcwBLLll17gbsu++IDq6vFduDHKn3lPM1x1Q/fcH9oqjsNDA
TZVo7iwioc/i20bCqtTSC7H8VvKyvRdOuWLTOxLKDO4O63Kfs75i50w47sjIN5fb
9e1xi6sLb+qd3xjRbact
=Qx3v
-----END PGP SIGNATURE-----
