It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names. For the stable distribution , this problem has been fixed in version 1.0.4-4+lenny5. For the testing distribution , this problem will be fixed soon. For the unstable distribution , this problem has been fixed in version 1.2.4-1. We recommend that you upgrade your mahara packages.