[Bug 556369] Re: SQL injection in username field

Launchpad Bug Tracker 556369 at bugs.launchpad.net
Wed Apr 7 14:03:19 BST 2010

This bug was fixed in the package mahara - 1.1.5-1ubuntu0.2

mahara (1.1.5-1ubuntu0.2) karmic-security; urgency=low

  * SECURITY UPDATE: SQL injection (LP: #556369)
    - debian/patches/CVE-2010-0400.dpatch: fix from upstream
    - CVE-2010-0400
 -- Francois Marier <francois at debian.org>   Tue, 06 Apr 2010 22:35:16 +1200

** Changed in: mahara (Ubuntu Karmic)
       Status: Confirmed => Fix Released

** Changed in: mahara (Ubuntu Jaunty)
       Status: Confirmed => Fix Released

SQL injection in username field
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.

Status in Mahara ePortfolio: Fix Released
Status in “mahara” package in Ubuntu: Invalid
Status in “mahara” source package in Lucid: Invalid
Status in “mahara” source package in Jaunty: Fix Released
Status in “mahara” source package in Karmic: Fix Released

Bug description:
Binary package hint: mahara

There is an exploitable SQL injection in the code used to generate new usernames.

I will attach here debdiffs for both jaunty and karmic.

For lucid, I will file a separate sync request.

( Also see upstream bug report at https://bugs.launchpad.net/mahara/+bug/534172 and the upstream security advisory at http://mahara.org/interaction/forum/topic.php?id=1713 )

More information about the Ubuntu-sponsors mailing list