Mahara 1.3.7

Milestone information

François Marier
Release registered:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
3 François Marier, 1 Melissa Draper, 4 Richard Mansfield, 1 Ruslan Kabalin
No blueprints are targeted to this milestone.
9 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon (md5, sig) release tarball 80
last downloaded 57 weeks ago
download icon mahara-1.3.7.tar.bz2 (md5, sig) release tarball 13
last downloaded 62 weeks ago
download icon mahara-1.3.7.tar.gz (md5, sig) release tarball 41
last downloaded 62 weeks ago
Total downloads: 134

Release notes 

Mahara 1.3.7 Release Notes

This is a stable release of Mahara 1.3. Stable releases are fit for
general use. If you find a bug, please report it to the tracker:

This release includes an upgrade path from 1.0. If you wish to
upgrade, we encourage you to make a copy of your website and test the
upgrade on it first, to minimise the effect of any potential
unforeseen problems.

Changes from 1.3.6:

 * XSS in unvalidated URI attributes (CVE-2011-2771)
 * Information disclosure exposing private messages (CVE-2011-2774)
 * DoS via invalid or excessively large images (CVE-2011-2773)
 * CSRF to trick admins into adding a user to an institution (CVE-2011-2773)
 * Fix for cron not running
 * Fix broken links on export page


View the full changelog

Remove unreachable addtoinstitution.php script (bug #800032)
Add sanitize_url() and apply to XSS vulns in rss parser
Fix messaging privelege escalation (bug #798128)
Estimate memory usage before resizing images (bug #784978)
Prevent masquerading users from jumping as others
Json-encode strings included in viewacl javascript (bug #817342)
init: only redirect to HTTPS when running in a browser
Fix link on export page (bug #790466)
Fix start/stop date overrides (bug #722475)

0 blueprints and 9 bugs targeted

Bug report Importance Assignee Status
798128 #798128 All private messages were accessible by wrong users 2 Critical Ruslan Kabalin  10 Fix Released
722475 #722475 Overriding start/stop dates in VIEWS not working 3 High Richard Mansfield  10 Fix Released
784978 #784978 Potential DoS attack by running large images through GD 3 High Richard Mansfield  10 Fix Released
794490 #794490 Cron is not running 3 High François Marier  10 Fix Released
798136 #798136 XSS in URI attributes in the externalfeed block 3 High Melissa Draper  10 Fix Released
800032 #800032 Session key not checked in admin/users/addtoinstitution.php 3 High Richard Mansfield  10 Fix Released
884223 #884223 Administrators masquerading as other users can jump to remote XMLRPC applications as that other user 3 High François Marier  10 Fix Released
817342 #817342 Unencoded strings included in viewacl javascript 4 Medium Richard Mansfield  10 Fix Released
790466 #790466 link on export page returns 404 5 Low François Marier  10 Fix Released
This milestone contains Public information
Everyone can see this information.