17 March 2025, 12:53

Hello,

This latest release contains three security fixes that are of high or critical nature, depending on the functionality you have enabled on your site. We would like to thank the people who made responsible disclosures of these security issues to us.

A list of fixes is available on the 'Releases' page, accessible to subscribers.

CVE information

CVE-2025-29992

Mahara before 24.04.9 exposes database connection information if the database becomes unreachable, e.g., due to the database server being temporarily down or too busy.

The database connection settings may be exposed if the database server is temporarily down or too busy. Exposed were database host's IP address, the database name, and the database username.

Discoverer: Peter Bulmer (Catalyst IT)

Attack type: Local

Vulnerability type: Information disclosure

Access updates

Subscribers have two options for accessing the latest code.

Via Git

• 24.04.9 Git branch

As downloadable package

The changes are also available on the 'Releases' page as downloadable packages under the heading 'Mahara download files...' in each respective release, which also includes a list of issues linked to their descriptions that have been fixed:

• 24.04.9

If you use the download files, make sure not to download a file called 'source code'. You want to download the files that have the compiled code as only that will come with all necessary libraries and stylesheet information.

Update information

Please see the wiki for information on updating Mahara, based on the method you use, either via the code repository (Git) or the downloadable package.

As subscriber, we recommend you update your instance of Mahara to the latest maintenance release of the series of Mahara you are using, or if you are on an unsupported version of Mahara, upgrade to a supported one.

Thank you

The Mahara team at Catalyst