lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed,  9 May 2012 19:47:16 +0200 (CEST)
From: Thijs Kinkhorst <thijs@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 2467-1] mahara security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2467-1                   security@...ian.org
http://www.debian.org/security/                           Thijs Kinkhorst
May 09, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mahara
Vulnerability  : insecure defaults
Problem type   : remote
Debian-specific: no

It was discovered that Mahara, the portfolio, weblog, and resume builder,
had an insecure default with regards to SAML-based authentication used
with more than one SAML identity provider. Someone with control over one
IdP could impersonate users from other IdP's.

For the stable distribution (squeeze), this problem has been fixed in
version 1.2.6-2+squeeze4.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 1.4.2-1.

We recommend that you upgrade your mahara packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJPqq1YAAoJEOxfUAG2iX57XpsH/jd+dpSgjuT/oetg3PP3+g92
Byq+pr5sNNQq7RAGtSdZFB0eN8zAtJIf06bIM0uc8qK3yHaLWu81j0sW6SOobHlO
nm0A5HeLLc6SrQPsleZdPupBi0mU7EgSX2U88imfhDbGTdM6PalMt7quSE38rC0g
r+NRO9PXt3xxIiUlmgT90RdSLeeqFAE1kE8SrvMR4vxKdxVyZW24ZKUtpAguS4ch
CsqvpMaX8nnHEIV1ffWVDE4mfroj9/+Nts0fxZD6SxMiTVjPZDXTmkYP2YuGzO7P
zQTTal42Gf5De+Rf4XD1PjKlcQb2m1QLMqa00k9I4FjWq5Se3x5aL8g+tw6eGIA=
=MHiw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ