[Bug 556369] Re: SQL injection in username field
Launchpad Bug Tracker
556369 at bugs.launchpad.net
Wed Apr 7 14:03:19 BST 2010
This bug was fixed in the package mahara - 1.0.9-2ubuntu0.6
mahara (1.0.9-2ubuntu0.6) jaunty-security; urgency=low
* SECURITY UPDATE: SQL injection (LP: #556369)
- debian/patches/CVE-2010-0400.dpatch: fix from upstream
-- Francois Marier <francois at debian.org> Tue, 06 Apr 2010 22:58:53 +1200
SQL injection in username field
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.
Status in Mahara ePortfolio: Fix Released
Status in “mahara” package in Ubuntu: Invalid
Status in “mahara” source package in Lucid: Invalid
Status in “mahara” source package in Jaunty: Fix Released
Status in “mahara” source package in Karmic: Fix Released
Binary package hint: mahara
There is an exploitable SQL injection in the code used to generate new usernames.
I will attach here debdiffs for both jaunty and karmic.
For lucid, I will file a separate sync request.
( Also see upstream bug report at https://bugs.launchpad.net/mahara/+bug/534172 and the upstream security advisory at http://mahara.org/interaction/forum/topic.php?id=1713 )
More information about the Ubuntu-sponsors