Mahara

Mahara 1.0.15

Series 1.0
1.0.15

Milestone information

Project:: Mahara

Series:: 1.0

Version:: 1.0.15

Released:: 2010-07-02

Registrant:: François Marier

Release registered:: 2010-07-02

Active:: No. Drivers cannot target bugs and blueprints to this milestone.

Download RDF metadata

Activities

Assigned to you:: No blueprints or bugs assigned to you.

Assignees:: 1 François Marier

Blueprints:: No blueprints are targeted to this milestone.

Bugs:: 2 Fix Released

Download files for this release

Release notes

Mahara 1.0.15 Release Notes

This is a stable release of Mahara 1.0. Stable releases are fit for
general use. If you find a bug, please report it to the tracker:

https://bugs.launchpad.net/mahara/+filebug

This release includes an upgrade path from 1.0. If you wish to
upgrade, we encourage you to make a copy of your website and test the
upgrade on it first, to minimise the effect of any potential
unforeseen problems.

Changes from 1.0.14:

* Multiple XSS vulnerabilities (CVE-2010-1667)
* Multiple CSRF vulnerabilities (CVE-2010-1668)
* Removal of dangerous auth plugin configuration options (CVE-2010-1670)
* New version of HTML Purifier fixing an IE-only XSS (CVE-2010-2479)

Changelog

View the full changelog

Don't allow 'none' authinstances to be used as parent authinstances
Don't allow internal auth users to login unless they have set a password
Fix the htmlpurifier settings to match new upstream version
lib/htmlpurifier: upgrade to latest upstream version (4.1.1)
Check sesskey when adding authinstances with no config form
Check sesskey in non-js view editor actions & before removing blocks
Check session key when closing forum threads or making them sticky
Allow for sesskey, deleted, suspended checks without a pieform object
Escape artefact title & owner name on filtered html page
Run clean_text over summaries in portfolio self search results
Add a copyright notice which includes an extra permission for linking with OpenSSL
Escape user,institution names on admin notifications page
Escape link text in links & resources menu
Escape group name in view submitted message on my views page
Escape admin's name in masquerade string
Escape institution names on admin user search
Pieforms: escape value of 'collapseifone' select element option

0 blueprints and 2 bugs targeted

Bug report				Importance	Assignee	Status
571505	#571505	XSS in HTML purifier 3.0.0 and 4.0.0		2 Critical	François Marier	10 Fix Released
594891	#594891	Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password		4 Medium		10 Fix Released

Related milestones and releases

This milestone contains Public information

Everyone can see this information.