Your message dated Wed, 30 Jun 2010 21:34:44 +0000 with message-id <e1ou4vc-0000py...@ries.debian.org> and subject line Bug#585425: fixed in moodle 1.9.9-1 has caused the Debian Bug report #585425, regarding moodle: CVE-2010-1619 cross-site scripting in KSES HTML text cleaning library to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 585425: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585425 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: moodle Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for moodle. CVE-2010-1619[0]: | Cross-site scripting (XSS) vulnerability in the | fix_non_standard_entities function in the KSES HTML text cleaning | library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x | before 1.9.8, allows remote attackers to inject arbitrary web script | or HTML via crafted HTML entities. The function patched in the official upstream patch is not included in our version of the source code, a ported (untested) version of the patch is attached. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1619 http://security-tracker.debian.org/tracker/CVE-2010-1619 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.--- weblib.php 2010-06-10 15:03:59.000000000 +0200 +++ weblib.php.new 2010-06-10 15:12:30.000000000 +0200 @@ -1676,8 +1676,8 @@ default: /// Fix non standard entity notations - $text = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $text); - $text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $text); + $text = preg_replace('/�*([0-9]+);?/', "&#\\1;", $text); + $text = preg_replace('/�*([0-9a-fA-F]+);?/', "&#\\1;", $text); /// Remove tags that are not allowed $text = strip_tags($text, $ALLOWED_TAGS);pgp7PYNq0zSTh.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: moodle Source-Version: 1.9.9-1 We believe that the bug you reported is fixed in the latest version of moodle, which is due to be installed in the Debian FTP archive: moodle_1.9.9-1.debian.tar.gz to main/m/moodle/moodle_1.9.9-1.debian.tar.gz moodle_1.9.9-1.dsc to main/m/moodle/moodle_1.9.9-1.dsc moodle_1.9.9-1_all.deb to main/m/moodle/moodle_1.9.9-1_all.deb moodle_1.9.9.orig.tar.gz to main/m/moodle/moodle_1.9.9.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 585...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tomasz Muras <nexor1...@gmail.com> (supplier of updated moodle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 23 Jun 2010 21:00:39 +0100 Source: moodle Binary: moodle Architecture: source all Version: 1.9.9-1 Distribution: unstable Urgency: low Maintainer: Moodle Packaging Team <pkg-moodle-maintain...@lists.alioth.debian.org> Changed-By: Tomasz Muras <nexor1...@gmail.com> Description: moodle - Course Management System for Online Learning Closes: 585425 586280 Changes: moodle (1.9.9-1) unstable; urgency=low . * Rewritten debian/rules * Removed unnecessary usr/share/moodle/update-notifier * New Upstream Version: 1.9.9 * New upstream fixes CVE-2010-1619 (closes: #585425) * New upstream fixes MSA-10-0011 (closes: #586280) Checksums-Sha1: 8e1bd6d6c913f2f1b68e716c0c71a96c578cca35 1337 moodle_1.9.9-1.dsc 11f85f3b933bdc211c0590d480eccbd426cb9a31 13729451 moodle_1.9.9.orig.tar.gz 4d644f30819ce64b71e3cb7aa99451c431a3a926 17362 moodle_1.9.9-1.debian.tar.gz 82720d646c0c24cd86c1755f9999330a7fb3a5a9 10079970 moodle_1.9.9-1_all.deb Checksums-Sha256: 66e4b09dcc5cc8d136a9590bb99d384825717e272845e3560dff900fabe3b76e 1337 moodle_1.9.9-1.dsc da8080f4e161bd262d68320e27d0c80dfee1e9eb6eb32995ee3f5afaba3b8433 13729451 moodle_1.9.9.orig.tar.gz 8f82700f15fe52b2ba723c3e1da6f2d0158da606ca9739575a0080d99d2008ad 17362 moodle_1.9.9-1.debian.tar.gz 182a73be3c88d69c524c48a1ae08c8cbad1026ec7b895b4b137cd88efe55e62f 10079970 moodle_1.9.9-1_all.deb Files: 64c8aae6b95fd7efa2c5e45df5b24f3d 1337 web optional moodle_1.9.9-1.dsc 3cf8f4dca5ed48537a44bc67e4636a15 13729451 web optional moodle_1.9.9.orig.tar.gz 48091e2504a239cf1c6e37f208fffcfb 17362 web optional moodle_1.9.9-1.debian.tar.gz a6c149a34237385ea0ebed298dc4a106 10079970 web optional moodle_1.9.9-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwrr0QACgkQpDDGqoi7tR5L0QCgoYCg5Z1F44EaxoUFrF//hl/s qDcAoMXRKnAJ4Fgo6E4rBX7zAWZdXyIQ =a+7f -----END PGP SIGNATURE-----
--- End Message ---