Public bug reported: Binary package hint: moodle
A new moodle package has been created that includes numerous security (~24), Debian (~20), and Ubuntu (7) bug fixes. Debian has integrated most of Ubuntu's previous changes. The 1.9.x series is also the current stable upstream release since March 2008. The current Jaunty package is uninstallable and has numerous security vulnerabilities. There are no dependent packages except edubuntu-server. Here is the relevant changelog entries: moodle (1.9.4.dfsg-0ubuntu1) jaunty; urgency=low * Merge with Debian git (Closes LP: #322961, #239481, #334611): - use Ubuntu's smarty lib directory for linking - use internal yui library - add update-notifier support back in [Matt Oquist] * renamed prerm script * significantly rewrote postinst and other maintainer scripts to improve user experience and package maintainability (Closes LP: #225662, #325450, #327843, #303078, #234609) -- Jordan Mantha <laserj...@ubuntu.com> Wed, 25 Feb 2009 15:16:22 -0800 moodle (1.9.4.dfsg-1) UNRELEASED; urgency=low * New Upstream Version (closes: #475535, #514284, #515823) (added notes/ and tag/ to debian/install) * Merge with Ubuntu: - drop use of wwwconfig (closes: #389502, #302205) - debian/postinst: ucf fixes (fixes a hang) * Remove preinst (no more direct upgrades from sarge) * Remove PHP4 support from the Apache config file we provide * Drop support for apache 1.x and remove from debconf * Add swedish debconf translation (closes: #511202) * Bump debhelper compatibility to 7 * Add lintian overrides for known customised libraries * Add new license files to delete (lintian warning) * Compress the deb with bzip2 * Add a watch file * Update copyright file Dependencies: * Depend on libjs-yui instead of yui (renamed after lenny) * Add dependency on unzip * Recommend php5-xmlrpc and aspell * Suggest clamav * Demoted mimetex to recommended Generated config: * Turn 'dbpersist' on by default in the generated config.php * Include whitespace warning at the end of generated config.php * Set the path to du, unzip and zip -- Francois Marier <franc...@debian.org> Tue, 24 Feb 2009 08:17:50 +1300 moodle (1.8.2.dfsg-4) unstable; urgency=high * Improve the fix for log URL filtering as suggested by Steffen Joeris (MSA-09-0007 / CVE-2009-0500) * Backport upstream fix for calendar export leakage (MSA-09-0006 / CVE-2009-0501) -- Francois Marier <franc...@debian.org> Thu, 12 Feb 2009 17:27:07 +1300 moodle (1.8.2.dfsg-3) unstable; urgency=high * Delete unused (but vulnerable) Spellchecker plugin to htmlarea (MSA-09-0005, CVE-2008-5153) * Hide images of deleted users (MSA-09-0001) * Fix user pix disclosure (MSA-09-0002) * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004) * Fix XSS vulnerabilities in logs (MSA-09-0007) * Fix CSRF vulnerability in forum code (MSA-09-0008) -- Francois Marier <franc...@debian.org> Mon, 02 Feb 2009 19:09:10 +1300 moodle (1.8.2.dfsg-2) unstable; urgency=high [ Dan Poltawski ] * Patch SQL injection bug in hotpot module (MSA-08-0010) * Fix XSS bug in logged urls (MDL-11414) * Fix XSS bug in install script (MSA-08-0004) * Fix insufficient access control in Login as feature (MSA-08-0003) * Profiles of deleted users were accessible allowing for spam (MSA-08-0015) * Deficincy in text cleaning functions allowed for XSS (MSA-08-0021) * Fix CSRF in messaging settings (MSA-08-0023) * Fix anonymous group creation and html injection (MDL-11759) * Fix SQL injection bug in mnet (MDL-9288) * Fix SQL injection bug in restore (MDL-11857) * Insufficient cleaning of essay questions (MDL-12079) * Fix insufficient cleaning of PARAM_HOST (MDL-12793) * Fix XSS bug in logged urls (MDL-11414) * Fix uncleaned params in wiki (MDL-14806) [ Francois Marier ] * Update html2text to prevent code execution attacks (closes: #508909) -- Francois Marier <franc...@debian.org> Wed, 17 Dec 2008 13:37:10 +1300 moodle (1.8.2.dfsg-1) unstable; urgency=high * Replace html2text with a GPL alternative (closes: #507947) * Fix XSS in the wiki module (CVE-2008-5432, closes: #508593) * Add Dan Poltawski to the uploaders field -- Francois Marier <franc...@debian.org> Tue, 16 Dec 2008 20:24:27 +1300 moodle (1.8.2-2) unstable; urgency=high * Adopt orphaned package (closes: #494642) * Acknowledge security NMU (closes: #489533, #432264) * Add Vcs-* fields to debian/control Release-critical and security bugs: * Depend on smarty instead of using the embedded copy that is shipped with Moodle (closes: #471158, #488525, #504345) * Patch security bug in the embedded (and customised) copy of phpmailer (CVE-2007-3215, closes: #429339, #429190) * Patch cross-site scripting bug (CVE-2008-3326, closes: #492492) * Patch snoopy input sanitising (CVE-2008-4796, closes: #504235) * Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069) Trivial bug fixes: * Depend on zip (closes: #408995) * Add mysql-client as an alternative to postgresql-client (closes: #417554, #469094) * Recommend php5-ldap (closes: #425839) * Delete unnecessary script with bashisms (closes: #489634) Lintian warnings: * Bump Standards-Version to 3.8.0 * Add homepage field to debian/control * Remove cvsignore file * Remove extra license file * Depend on yui instead of using an embedded copy -- Francois Marier <franc...@debian.org> Fri, 07 Nov 2008 08:24:28 +1300 moodle (1.8.2-1.3) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix broken HTML filtering which could be used to perform XSS attacks, bypass restrictions or possibly execute arbitrary code (CVE-2008-1502; Closes: #489533). -- Nico Golde <n...@debian.org> Sun, 20 Jul 2008 18:07:55 +0200 ** Affects: moodle (Ubuntu) Importance: Undecided Status: New ** Description changed: Binary package hint: moodle A new moodle package has been created that includes numerous security (~24), Debian (~20), and Ubuntu (7) bug fixes. Debian has integrated most of Ubuntu's previous changes. The 1.9.x series is also the current stable upstream release since March 2008. The current Jaunty package is uninstallable and has numerous security vulnerabilities. There are no dependent packages except edubuntu-server. Here is the relevant changelog entries: moodle (1.9.4.dfsg-0ubuntu1) jaunty; urgency=low - * Merge with Debian git (Closes LP: #322961, #239481): + * Merge with Debian git (Closes LP: #322961, #239481, #334611): - use Ubuntu's smarty lib directory for linking - use internal yui library - add update-notifier support back in [Matt Oquist] * renamed prerm script * significantly rewrote postinst and other maintainer scripts to improve user experience and package maintainability (Closes LP: #225662, #325450, #327843, #303078, #234609) -- Jordan Mantha <laserj...@ubuntu.com> Wed, 25 Feb 2009 15:16:22 -0800 moodle (1.9.4.dfsg-1) UNRELEASED; urgency=low * New Upstream Version (closes: #475535, #514284, #515823) (added notes/ and tag/ to debian/install) * Merge with Ubuntu: - drop use of wwwconfig (closes: #389502, #302205) - debian/postinst: ucf fixes (fixes a hang) * Remove preinst (no more direct upgrades from sarge) * Remove PHP4 support from the Apache config file we provide * Drop support for apache 1.x and remove from debconf * Add swedish debconf translation (closes: #511202) * Bump debhelper compatibility to 7 * Add lintian overrides for known customised libraries * Add new license files to delete (lintian warning) * Compress the deb with bzip2 * Add a watch file * Update copyright file Dependencies: * Depend on libjs-yui instead of yui (renamed after lenny) * Add dependency on unzip * Recommend php5-xmlrpc and aspell * Suggest clamav * Demoted mimetex to recommended Generated config: * Turn 'dbpersist' on by default in the generated config.php * Include whitespace warning at the end of generated config.php * Set the path to du, unzip and zip -- Francois Marier <franc...@debian.org> Tue, 24 Feb 2009 08:17:50 +1300 moodle (1.8.2.dfsg-4) unstable; urgency=high * Improve the fix for log URL filtering as suggested by Steffen Joeris (MSA-09-0007 / CVE-2009-0500) * Backport upstream fix for calendar export leakage (MSA-09-0006 / CVE-2009-0501) -- Francois Marier <franc...@debian.org> Thu, 12 Feb 2009 17:27:07 +1300 moodle (1.8.2.dfsg-3) unstable; urgency=high * Delete unused (but vulnerable) Spellchecker plugin to htmlarea (MSA-09-0005, CVE-2008-5153) * Hide images of deleted users (MSA-09-0001) * Fix user pix disclosure (MSA-09-0002) * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004) * Fix XSS vulnerabilities in logs (MSA-09-0007) * Fix CSRF vulnerability in forum code (MSA-09-0008) -- Francois Marier <franc...@debian.org> Mon, 02 Feb 2009 19:09:10 +1300 moodle (1.8.2.dfsg-2) unstable; urgency=high [ Dan Poltawski ] * Patch SQL injection bug in hotpot module (MSA-08-0010) * Fix XSS bug in logged urls (MDL-11414) * Fix XSS bug in install script (MSA-08-0004) * Fix insufficient access control in Login as feature (MSA-08-0003) * Profiles of deleted users were accessible allowing for spam (MSA-08-0015) * Deficincy in text cleaning functions allowed for XSS (MSA-08-0021) * Fix CSRF in messaging settings (MSA-08-0023) * Fix anonymous group creation and html injection (MDL-11759) * Fix SQL injection bug in mnet (MDL-9288) * Fix SQL injection bug in restore (MDL-11857) * Insufficient cleaning of essay questions (MDL-12079) * Fix insufficient cleaning of PARAM_HOST (MDL-12793) * Fix XSS bug in logged urls (MDL-11414) * Fix uncleaned params in wiki (MDL-14806) [ Francois Marier ] * Update html2text to prevent code execution attacks (closes: #508909) -- Francois Marier <franc...@debian.org> Wed, 17 Dec 2008 13:37:10 +1300 moodle (1.8.2.dfsg-1) unstable; urgency=high * Replace html2text with a GPL alternative (closes: #507947) * Fix XSS in the wiki module (CVE-2008-5432, closes: #508593) * Add Dan Poltawski to the uploaders field -- Francois Marier <franc...@debian.org> Tue, 16 Dec 2008 20:24:27 +1300 moodle (1.8.2-2) unstable; urgency=high * Adopt orphaned package (closes: #494642) * Acknowledge security NMU (closes: #489533, #432264) * Add Vcs-* fields to debian/control Release-critical and security bugs: * Depend on smarty instead of using the embedded copy that is shipped with Moodle (closes: #471158, #488525, #504345) * Patch security bug in the embedded (and customised) copy of phpmailer (CVE-2007-3215, closes: #429339, #429190) * Patch cross-site scripting bug (CVE-2008-3326, closes: #492492) * Patch snoopy input sanitising (CVE-2008-4796, closes: #504235) * Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069) Trivial bug fixes: * Depend on zip (closes: #408995) * Add mysql-client as an alternative to postgresql-client (closes: #417554, #469094) * Recommend php5-ldap (closes: #425839) * Delete unnecessary script with bashisms (closes: #489634) Lintian warnings: * Bump Standards-Version to 3.8.0 * Add homepage field to debian/control * Remove cvsignore file * Remove extra license file * Depend on yui instead of using an embedded copy -- Francois Marier <franc...@debian.org> Fri, 07 Nov 2008 08:24:28 +1300 moodle (1.8.2-1.3) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix broken HTML filtering which could be used to perform XSS attacks, bypass restrictions or possibly execute arbitrary code (CVE-2008-1502; Closes: #489533). -- Nico Golde <n...@debian.org> Sun, 20 Jul 2008 18:07:55 +0200 -- Feature Freeze Exception: moodle 1.9.4-0ubuntu1 https://bugs.launchpad.net/bugs/334611 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs -- universe-bugs mailing list universe-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/universe-bugs