-
mahara (1.5.1-3.1) unstable; urgency=high
* Non-maintainer upload.
* SECURITY UPDATE: Fix a cross-site scripting (XSS) vulnerability
which allowed remote attackers to inject arbitrary web script or
HTML via the query parameter.
- debian/patches/CVE-2012-2253.patch
- Closes: #695789
-- Luca Falavigna <email address hidden> Sun, 23 Dec 2012 14:53:41 +0100
-
mahara (1.5.1-3) unstable; urgency=high
* SECURITY UPDATE: Disable XML entity parsing to prevent XEE
- debian/patches/CVE-2012-2239.patch: upstream patch
* SECURITY UPDATE: Multiple cross-site scripting vulnerabilities
- Content passed to the error message was not escaped
- Escape pieform errors displayed to users
- debian/patches/CVE-2012-2243-0001.patch: upstream patch
- XHTML files prone to embedded javascript
- Prevent uploaded xhtml files from displaying verbatim
- debian/patches/CVE-2012-2243-0002.patch: upstream patch
* SECURITY UPDATE: Arbitrary file execution via clam path
- Remove executable bit from existing uploaded files
- debian/patches/CVE-2012-2244-0001.patch: upstream patch
- Ensure future files will not be executable
- debian/patches/CVE-2012-2244-0002.patch: upstream patch
- Remove direct path option from web configuration
- debian/patches/CVE-2012-2244-0003.patch: upstream patch
* SECURITY UPDATE: Prevent click-jacking attacks
- Add a HTTP header of X-Frame-Options to every page
- debian/patches/CVE-2012-2246.patch: upstream patch
* SECURITY UPDATE: Prevent SVG images being displayed
- SVG images displayed inline
- Adds SVG files to the list of files to not display by default
- debian/patches/CVE-2012-2247.patch: upstream patch
-- Melissa Draper <email address hidden> Tue, 12 Nov 2012 04:08:09 +0000
-
mahara (1.5.1-2.1) unstable; urgency=low
* Non-maintainer upload
* debian/mahara.preinst: Remove previous symlink that is replaced by a
directory (closes: #690124)
-- David Prévot <email address hidden> Sat, 27 Oct 2012 22:10:31 -0400
-
mahara (1.5.1-2) unstable; urgency=high
* SECURITY UPDATE: Fix multiple cross-site scripting vulnerabilities
- Sanitize json-encode login form when injected by js
- Sanitize links in links and resources menu
- Sanitize file description for blog image editor
- Add escaping to user_display_name by adding to dwoo template
- debian/patches/CVE-2012-2237-0001.patch: upstream patch
- debian/patches/CVE-2012-2237-0002.patch: upstream patch
- debian/patches/CVE-2012-2237-0003.patch: upstream patch
- debian/patches/CVE-2012-2237-0004.patch: upstream patch
-- Melissa Draper <email address hidden> Mon, 16 Jul 2012 09:37:07 +0000
-
mahara (1.5.1-1) unstable; urgency=low
[ Melissa Draper ]
* New major upstream release
- Improved password storage
- Database triggers
- php minimum version now 5.3
* Drop dependency on Dwoo and use bundled version instead
* Update versioned dependencies on Postgres and MySQL
* Add libjs-jquery dependency
* Bump Standards-Version up to 3.9.3
* Bump debhelper compatibility to 9
[ Francois Marier ]
* Fix watch file
* Update homepage URL in debian/control
* Update Alioth URLs
-- Melissa Draper <email address hidden> Thu, 31 May 2012 12:03:15 +1200
-
mahara (1.4.2-1) unstable; urgency=high
* New upstream release
* SECURITY UPDATE: Fix default config for sites with multiple SAML instances
- Default configuration changed to prevent impersonation
-- Melissa Draper <email address hidden> Wed, 14 Mar 2012 01:53:32 +0000
-
mahara (1.4.1-1) unstable; urgency=low
* New upstream release
- CVE-2011-2771
- CVE-2011-2772
- CVE-2011-2773
- CVE-2011-2774
-- Francois Marier <email address hidden> Fri, 04 Nov 2011 12:16:06 +1300
-
mahara (1.4.0-1) unstable; urgency=low
* New major upstream release - upstream .htaccess file has been removed * Add missing (empty) build targets in debian/rules (lintian warning) -- Francois Marier <email address hidden> Wed, 22 Jun 2011 14:58:47 +1200
-
mahara (1.3.6-1) unstable; urgency=high
* New upstream release (major security fixes): - CVE-2011-1402 - CVE-2011-1403 - CVE-2011-1404 - CVE-2011-1405 - CVE-2011-1406 * Fix versioned dependency of mahara-apache2 * Drop mysql-server-5.0 recommendation * Bump Standards-Version up to 3.9.2 -- Francois Marier <email address hidden> Tue, 10 May 2011 13:55:55 +1200
-
mahara (1.3.5-1) unstable; urgency=low
* Major new upstream release - compatibility with HTML Purifier 4.3.0 * Remove unused Mochikit lintian override * Update path of flowplayer in debian/rules * Fix more broken permissions in debian/rules * Add dependency on ttf-bitstream-vera and remove Mahara's bundled copy * Sync Uploaders field with Launchpad Team -- Francois Marier <email address hidden> Mon, 11 Apr 2011 15:52:10 +1200
-
mahara (1.2.7-1) unstable; urgency=high
* New upstream security release: - CVE-2011-0439 (XSS in select boxes) - CVE-2011-0440 (CSRF when deleting blogs) * Add Italian debconf translation (closes: #606378) * Add Danish debconf translation (closes: #597766) * Bump debhelper compatibility to 8 -- Francois Marier <email address hidden> Fri, 25 Mar 2011 16:08:31 +1300
-
mahara (1.2.6-2) unstable; urgency=medium
* Move flowplayer.audio to the contrib package as well
* Add an allow rule in apache.conf for flowplayer.audio
-- Francois Marier <email address hidden> Mon, 06 Sep 2010 20:59:44 +1200