Mahara 1.3.6

Milestone information

Project:
Mahara
Series:
1.3
Version:
1.3.6
Released:
2011-05-10  
Registrant:
Richard Mansfield
Release registered:
2011-05-10
Active:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata

Activities

Assigned to you:
No blueprints or bugs assigned to you.
Assignees:
13 Richard Mansfield, 1 Ruslan Kabalin
Blueprints:
No blueprints are targeted to this milestone.
Bugs:
14 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon mahara-1.3.6.tar.bz2 (md5, sig) release tarball 526
last downloaded 15 weeks ago
download icon mahara-1.3.6.tar.gz (md5, sig) release tarball 455
last downloaded 59 weeks ago
download icon mahara-1.3.6.zip (md5, sig) release tarball 1,668
last downloaded 42 weeks ago
Total downloads: 2,649

Release notes 

Mahara 1.3.6 Release Notes

This is a stable release of Mahara 1.3. Stable releases are fit for
general use. If you find a bug, please report it to the tracker:

https://bugs.launchpad.net/mahara/+filebug

This release includes an upgrade path from 1.0. If you wish to
upgrade, we encourage you to make a copy of your website and test the
upgrade on it first, to minimise the effect of any potential
unforeseen problems.

Changes from 1.3.5:

 * Privilege escalations (CVE-2011-1402)
 * Fixes to session key validation (CVE-2011-1403)
 * Information disclosure in AJAX calls (CVE-2011-1404)
 * Sanitisation of HTML emails (CVE-2011-1405)
 * https to http downgrade (CVE-2011-1406)

Changelog 

View the full changelog

Add missing sesskey to profile icons & layout pages
Ensure that secure connection is being used when wwwroot is set to ^https
Escape body of html emails (bug #772860)
Return only html from json/friendsearch.php (bug #772179)
Only give userids and names in group/membersearchresults.php (bug #772174)
Only give userids and names in json/usersearch.php (bug #772160)
Fixes for myfriends pagination script (bug #772140)
Check view permission when paginating blog blocks (bug #771653)
Check edit permission in blog owner pagination script (bug #771644)
Check view permission in viewtasks.json.php (bug #771637)
Check edit permissions in tasks.json.php (bug #771623)
Check permissions and remove suspension code from admin user search (bug #771614)
Fix pieforms sesskey validation (bug #771598)
Add view edit permission check in newviewtoken json script (bug #771592)
Remove unnecessary execute bits on template files
Remove execute bit from all images

0 blueprints and 14 bugs targeted

Bug report Importance Assignee Status
685942 #685942 Possible https to http downgrade 3 High Ruslan Kabalin  10 Fix Released
746182 #746182 Overriding start/stop dates not checked 3 High Richard Mansfield  10 Fix Released
771592 #771592 Edit permission not checked in newviewtoken.json.php 3 High Richard Mansfield  10 Fix Released
771598 #771598 Session key validation not working in pieforms 3 High Richard Mansfield  10 Fix Released
771614 #771614 Check permissions and remove user suspension code from admin/users/search.json.php 3 High Richard Mansfield  10 Fix Released
771623 #771623 Check edit permissions in tasks.json.php 3 High Richard Mansfield  10 Fix Released
771637 #771637 Check view permissions in viewtasks.json.php 3 High Richard Mansfield  10 Fix Released
771644 #771644 Check edit permissions in blog index.json.php 3 High Richard Mansfield  10 Fix Released
771653 #771653 Check view permissions in blog posts.json.php 3 High Richard Mansfield  10 Fix Released
772140 #772140 Information disclosure in my friends pagination script 3 High Richard Mansfield  10 Fix Released
772160 #772160 Userlist element json script reveals user information 3 High Richard Mansfield  10 Fix Released
772174 #772174 Group member search json script reveals user information 3 High Richard Mansfield  10 Fix Released
772179 #772179 Ajax script for friend search pagination reveals user information 3 High Richard Mansfield  10 Fix Released
772860 #772860 HTML emails not escaped 3 High Richard Mansfield  10 Fix Released
This milestone contains Public information
Everyone can see this information.