Date: 10 May 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0456
mahara security update
10 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mahara
Publisher: Debian
Operating System: Debian GNU/Linux 6
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
http://www.debian.org/security/2012/dsa-2467
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running mahara check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2467-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : mahara
Vulnerability : insecure defaults
Problem type : remote
Debian-specific: no
It was discovered that Mahara, the portfolio, weblog, and resume builder,
had an insecure default with regards to SAML-based authentication used
with more than one SAML identity provider. Someone with control over one
IdP could impersonate users from other IdP's.
For the stable distribution (squeeze), this problem has been fixed in
version 1.2.6-2+squeeze4.
For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 1.4.2-1.
We recommend that you upgrade your mahara packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJPqq1YAAoJEOxfUAG2iX57XpsH/jd+dpSgjuT/oetg3PP3+g92
Byq+pr5sNNQq7RAGtSdZFB0eN8zAtJIf06bIM0uc8qK3yHaLWu81j0sW6SOobHlO
nm0A5HeLLc6SrQPsleZdPupBi0mU7EgSX2U88imfhDbGTdM6PalMt7quSE38rC0g
r+NRO9PXt3xxIiUlmgT90RdSLeeqFAE1kE8SrvMR4vxKdxVyZW24ZKUtpAguS4ch
CsqvpMaX8nnHEIV1ffWVDE4mfroj9/+Nts0fxZD6SxMiTVjPZDXTmkYP2YuGzO7P
zQTTal42Gf5De+Rf4XD1PjKlcQb2m1QLMqa00k9I4FjWq5Se3x5aL8g+tw6eGIA=
=MHiw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT6sUGu4yVqjM2NGpAQIvNw/9G7K6iJwI1x0f6zsEO36eL7iAAsShiAqf
A6XntsXLs+VDRYCuMX2v0P12W2A5QCRA7FJ7y5VR3CS99+mqjMonZcnPdXysIHxC
X+i8KZJeTD23kGC3lCehYZam7p6GV4nht1hrNMr3YNzCBy0cdu8bu4LLR1tvXwRU
ZfTxR81yeXtO3H7V+XoT4EXkQi8TthhvwyAeZvIOyeSJ72yzRHwDzYgaJ0TT/aDZ
8HjUrtX6TAjoqx7jk47zWmgadq0v2qLzo1Ez+e9sEMEz8mmPQORcCc+ld/U1+pEX
NxqEyb98LLJqdLFpREMqr7UPscB/fZh4Hf+5DJmGzFVHeYIppVzqPPDVOMbGXoxd
KWOjb6YnbRHNtDrlmrZE2ZVfSquK5EWl/tit6YEtgsFIRAp8Y5PWIpP7zR0h+ZG4
jSeHXJ60ARw9REDi7h+Zra13PTAGQeaktcq3LclnmnHXzrjDvqn6+Fvtm4UlnM+s
DL+Cnd+H037zdtj2gzQX22M3W6psZ5mUNWd6r97agpHV3tfjy4FCKmKvr06W3qRS
2K/+BTmeAWXOsDdfGz+1uQiTzMArUIqzsLwPUGZabEcPnfb4YyRakdZkh1tPL6At
mqxzZorI9YvmnS3sYiUmVQXhj13QzGdqxo1bKh7STmjIP49QN2i9Yxez+wvTeZJg
03Pf/6Tn2EI=
=esfE
-----END PGP SIGNATURE-----
|