Mahara 1.1.9

Milestone information

François Marier
Release registered:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
1 François Marier
No blueprints are targeted to this milestone.
2 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon (md5, sig) release tarball 59
last downloaded 61 weeks ago
download icon mahara-1.1.9.tar.bz2 (md5, sig) release tarball 15
last downloaded 61 weeks ago
download icon mahara-1.1.9.tar.gz (md5, sig) release tarball 41
last downloaded 61 weeks ago
Total downloads: 115

Release notes 

Mahara 1.1.9 Release Notes

This is a stable release of Mahara 1.1. Stable releases are fit for
general use. If you find a bug, please report it to the tracker:

This release includes an upgrade path from 1.0. If you wish to
upgrade, we encourage you to make a copy of your website and test the
upgrade on it first, to minimise the effect of any potential
unforeseen problems.

Changes from 1.1.8:

 * Multiple XSS vulnerabilities (CVE-2010-1667)
 * Multiple CSRF vulnerabilities (CVE-2010-1668)
 * SQL Injection (CVE-2010-1669)
 * Removal of dangerous auth plugin configuration options (CVE-2010-1670)
 * New version of HTML Purifier fixing an IE-only XSS (CVE-2010-2479)
 * Set the locale in Mahara instead of in language packs


View the full changelog

Store locale in langconfig; set locale when setting the language (bug #597097)
Waste a bit less time getting current language
Don't allow 'none' authinstances to be used as parent authinstances
Don't allow internal auth users to login unless they have set a password
lib/htmlpurifier: upgrade to latest upstream version (4.1.1)
Remove old note about REPO moving
Check sesskey when adding authinstances with no config form
Check sesskey in non-js view editor actions & before removing blocks
Check session key when closing forum threads or making them sticky
Allow for sesskey, deleted, suspended checks without a pieform object
Cast an ID coming from user data before it hits a query
Escape artefact title & owner name on filtered html page
Run clean_html over summaries in portfolio self search results
Escape group name & view description on group views page for users who cannot edit views
htmlpurifier: update README.Mahara after 4.1.0 upgrade
htmlpurifier: new upstream release (4.1.0)
Run artefact description through clean_html in blog artefactchooser
Run blog description through clean_html when viewing own blog
Run blog descriptions through clean_html when viewing my blogs page
Escape user's name on wall page
Run clean_html over group description on group view page
Add a copyright notice which includes an extra permission for linking with OpenSSL
Escape user,institution names on admin notifications page
Escape link text in links & resources menu
Escape author names in views shared/submitted to group lists
Escape group name in view submitted message on my views page
Run clean_html over view descriptions
Escape admin's name in masquerade string
Escape lists of institution & group names on user/view page
Escape institution names on admin user search
Pieforms: escape value of 'collapseifone' select element option

0 blueprints and 2 bugs targeted

Bug report Importance Assignee Status
571505 #571505 XSS in HTML purifier 3.0.0 and 4.0.0 2 Critical François Marier  10 Fix Released
594891 #594891 Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password 4 Medium   10 Fix Released
This milestone contains Public information
Everyone can see this information.