Public bug reported:
Binary package hint: moodle
A new moodle package has been created that includes numerous security
(~24), Debian (~20), and Ubuntu (7) bug fixes. Debian has integrated
most of Ubuntu's previous changes. The 1.9.x series is also the current
stable upstream release since March 2008. The current Jaunty package is
uninstallable and has numerous security vulnerabilities. There are no
dependent packages except edubuntu-server.
Here is the relevant changelog entries:
moodle (1.9.4.dfsg-0ubuntu1) jaunty; urgency=low
* Merge with Debian git (Closes LP: #322961, #239481, #334611):
- use Ubuntu's smarty lib directory for linking
- use internal yui library
- add update-notifier support back in
[Matt Oquist]
* renamed prerm script
* significantly rewrote postinst and other maintainer scripts to improve
user experience and package maintainability
(Closes LP: #225662, #325450, #327843, #303078, #234609)
-- Jordan Mantha <laserj...@ubuntu.com> Wed, 25 Feb 2009 15:16:22
-0800
moodle (1.9.4.dfsg-1) UNRELEASED; urgency=low
* New Upstream Version (closes: #475535, #514284, #515823)
(added notes/ and tag/ to debian/install)
* Merge with Ubuntu:
- drop use of wwwconfig (closes: #389502, #302205)
- debian/postinst: ucf fixes (fixes a hang)
* Remove preinst (no more direct upgrades from sarge)
* Remove PHP4 support from the Apache config file we provide
* Drop support for apache 1.x and remove from debconf
* Add swedish debconf translation (closes: #511202)
* Bump debhelper compatibility to 7
* Add lintian overrides for known customised libraries
* Add new license files to delete (lintian warning)
* Compress the deb with bzip2
* Add a watch file
* Update copyright file
Dependencies:
* Depend on libjs-yui instead of yui (renamed after lenny)
* Add dependency on unzip
* Recommend php5-xmlrpc and aspell
* Suggest clamav
* Demoted mimetex to recommended
Generated config:
* Turn 'dbpersist' on by default in the generated config.php
* Include whitespace warning at the end of generated config.php
* Set the path to du, unzip and zip
-- Francois Marier <franc...@debian.org> Tue, 24 Feb 2009 08:17:50
+1300
moodle (1.8.2.dfsg-4) unstable; urgency=high
* Improve the fix for log URL filtering as suggested by Steffen Joeris
(MSA-09-0007 / CVE-2009-0500)
* Backport upstream fix for calendar export leakage
(MSA-09-0006 / CVE-2009-0501)
-- Francois Marier <franc...@debian.org> Thu, 12 Feb 2009 17:27:07
+1300
moodle (1.8.2.dfsg-3) unstable; urgency=high
* Delete unused (but vulnerable) Spellchecker plugin to htmlarea
(MSA-09-0005, CVE-2008-5153)
* Hide images of deleted users (MSA-09-0001)
* Fix user pix disclosure (MSA-09-0002)
* Fix XSS vulnerabilities in HTML blocks (MSA-09-0004)
* Fix XSS vulnerabilities in logs (MSA-09-0007)
* Fix CSRF vulnerability in forum code (MSA-09-0008)
-- Francois Marier <franc...@debian.org> Mon, 02 Feb 2009 19:09:10
+1300
moodle (1.8.2.dfsg-2) unstable; urgency=high
[ Dan Poltawski ]
* Patch SQL injection bug in hotpot module (MSA-08-0010)
* Fix XSS bug in logged urls (MDL-11414)
* Fix XSS bug in install script (MSA-08-0004)
* Fix insufficient access control in Login as feature (MSA-08-0003)
* Profiles of deleted users were accessible allowing for spam (MSA-08-0015)
* Deficincy in text cleaning functions allowed for XSS (MSA-08-0021)
* Fix CSRF in messaging settings (MSA-08-0023)
* Fix anonymous group creation and html injection (MDL-11759)
* Fix SQL injection bug in mnet (MDL-9288)
* Fix SQL injection bug in restore (MDL-11857)
* Insufficient cleaning of essay questions (MDL-12079)
* Fix insufficient cleaning of PARAM_HOST (MDL-12793)
* Fix XSS bug in logged urls (MDL-11414)
* Fix uncleaned params in wiki (MDL-14806)
[ Francois Marier ]
* Update html2text to prevent code execution attacks (closes: #508909)
-- Francois Marier <franc...@debian.org> Wed, 17 Dec 2008 13:37:10
+1300
moodle (1.8.2.dfsg-1) unstable; urgency=high
* Replace html2text with a GPL alternative (closes: #507947)
* Fix XSS in the wiki module (CVE-2008-5432, closes: #508593)
* Add Dan Poltawski to the uploaders field
-- Francois Marier <franc...@debian.org> Tue, 16 Dec 2008 20:24:27
+1300
moodle (1.8.2-2) unstable; urgency=high
* Adopt orphaned package (closes: #494642)
* Acknowledge security NMU (closes: #489533, #432264)
* Add Vcs-* fields to debian/control
Release-critical and security bugs:
* Depend on smarty instead of using the embedded copy that is shipped
with Moodle (closes: #471158, #488525, #504345)
* Patch security bug in the embedded (and customised) copy of phpmailer
(CVE-2007-3215, closes: #429339, #429190)
* Patch cross-site scripting bug (CVE-2008-3326, closes: #492492)
* Patch snoopy input sanitising (CVE-2008-4796, closes: #504235)
* Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069)
Trivial bug fixes:
* Depend on zip (closes: #408995)
* Add mysql-client as an alternative to postgresql-client
(closes: #417554, #469094)
* Recommend php5-ldap (closes: #425839)
* Delete unnecessary script with bashisms (closes: #489634)
Lintian warnings:
* Bump Standards-Version to 3.8.0
* Add homepage field to debian/control
* Remove cvsignore file
* Remove extra license file
* Depend on yui instead of using an embedded copy
-- Francois Marier <franc...@debian.org> Fri, 07 Nov 2008 08:24:28
+1300
moodle (1.8.2-1.3) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix broken HTML filtering which could be used to perform XSS attacks,
bypass restrictions or possibly execute arbitrary code
(CVE-2008-1502; Closes: #489533).
-- Nico Golde <n...@debian.org> Sun, 20 Jul 2008 18:07:55 +0200
** Affects: moodle (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Binary package hint: moodle
A new moodle package has been created that includes numerous security
(~24), Debian (~20), and Ubuntu (7) bug fixes. Debian has integrated
most of Ubuntu's previous changes. The 1.9.x series is also the current
stable upstream release since March 2008. The current Jaunty package is
uninstallable and has numerous security vulnerabilities. There are no
dependent packages except edubuntu-server.
Here is the relevant changelog entries:
moodle (1.9.4.dfsg-0ubuntu1) jaunty; urgency=low
- * Merge with Debian git (Closes LP: #322961, #239481):
+ * Merge with Debian git (Closes LP: #322961, #239481, #334611):
- use Ubuntu's smarty lib directory for linking
- use internal yui library
- add update-notifier support back in
[Matt Oquist]
* renamed prerm script
* significantly rewrote postinst and other maintainer scripts to improve
user experience and package maintainability
(Closes LP: #225662, #325450, #327843, #303078, #234609)
-- Jordan Mantha <laserj...@ubuntu.com> Wed, 25 Feb 2009 15:16:22
-0800
moodle (1.9.4.dfsg-1) UNRELEASED; urgency=low
* New Upstream Version (closes: #475535, #514284, #515823)
(added notes/ and tag/ to debian/install)
* Merge with Ubuntu:
- drop use of wwwconfig (closes: #389502, #302205)
- debian/postinst: ucf fixes (fixes a hang)
* Remove preinst (no more direct upgrades from sarge)
* Remove PHP4 support from the Apache config file we provide
* Drop support for apache 1.x and remove from debconf
* Add swedish debconf translation (closes: #511202)
* Bump debhelper compatibility to 7
* Add lintian overrides for known customised libraries
* Add new license files to delete (lintian warning)
* Compress the deb with bzip2
* Add a watch file
* Update copyright file
Dependencies:
* Depend on libjs-yui instead of yui (renamed after lenny)
* Add dependency on unzip
* Recommend php5-xmlrpc and aspell
* Suggest clamav
* Demoted mimetex to recommended
Generated config:
* Turn 'dbpersist' on by default in the generated config.php
* Include whitespace warning at the end of generated config.php
* Set the path to du, unzip and zip
-- Francois Marier <franc...@debian.org> Tue, 24 Feb 2009 08:17:50
+1300
moodle (1.8.2.dfsg-4) unstable; urgency=high
* Improve the fix for log URL filtering as suggested by Steffen Joeris
(MSA-09-0007 / CVE-2009-0500)
* Backport upstream fix for calendar export leakage
(MSA-09-0006 / CVE-2009-0501)
-- Francois Marier <franc...@debian.org> Thu, 12 Feb 2009 17:27:07
+1300
moodle (1.8.2.dfsg-3) unstable; urgency=high
* Delete unused (but vulnerable) Spellchecker plugin to htmlarea
(MSA-09-0005, CVE-2008-5153)
* Hide images of deleted users (MSA-09-0001)
* Fix user pix disclosure (MSA-09-0002)
* Fix XSS vulnerabilities in HTML blocks (MSA-09-0004)
* Fix XSS vulnerabilities in logs (MSA-09-0007)
* Fix CSRF vulnerability in forum code (MSA-09-0008)
-- Francois Marier <franc...@debian.org> Mon, 02 Feb 2009 19:09:10
+1300
moodle (1.8.2.dfsg-2) unstable; urgency=high
[ Dan Poltawski ]
* Patch SQL injection bug in hotpot module (MSA-08-0010)
* Fix XSS bug in logged urls (MDL-11414)
* Fix XSS bug in install script (MSA-08-0004)
* Fix insufficient access control in Login as feature (MSA-08-0003)
* Profiles of deleted users were accessible allowing for spam (MSA-08-0015)
* Deficincy in text cleaning functions allowed for XSS (MSA-08-0021)
* Fix CSRF in messaging settings (MSA-08-0023)
* Fix anonymous group creation and html injection (MDL-11759)
* Fix SQL injection bug in mnet (MDL-9288)
* Fix SQL injection bug in restore (MDL-11857)
* Insufficient cleaning of essay questions (MDL-12079)
* Fix insufficient cleaning of PARAM_HOST (MDL-12793)
* Fix XSS bug in logged urls (MDL-11414)
* Fix uncleaned params in wiki (MDL-14806)
[ Francois Marier ]
* Update html2text to prevent code execution attacks (closes: #508909)
-- Francois Marier <franc...@debian.org> Wed, 17 Dec 2008 13:37:10
+1300
moodle (1.8.2.dfsg-1) unstable; urgency=high
* Replace html2text with a GPL alternative (closes: #507947)
* Fix XSS in the wiki module (CVE-2008-5432, closes: #508593)
* Add Dan Poltawski to the uploaders field
-- Francois Marier <franc...@debian.org> Tue, 16 Dec 2008 20:24:27
+1300
moodle (1.8.2-2) unstable; urgency=high
* Adopt orphaned package (closes: #494642)
* Acknowledge security NMU (closes: #489533, #432264)
* Add Vcs-* fields to debian/control
Release-critical and security bugs:
* Depend on smarty instead of using the embedded copy that is shipped
with Moodle (closes: #471158, #488525, #504345)
* Patch security bug in the embedded (and customised) copy of phpmailer
(CVE-2007-3215, closes: #429339, #429190)
* Patch cross-site scripting bug (CVE-2008-3326, closes: #492492)
* Patch snoopy input sanitising (CVE-2008-4796, closes: #504235)
* Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069)
Trivial bug fixes:
* Depend on zip (closes: #408995)
* Add mysql-client as an alternative to postgresql-client
(closes: #417554, #469094)
* Recommend php5-ldap (closes: #425839)
* Delete unnecessary script with bashisms (closes: #489634)
Lintian warnings:
* Bump Standards-Version to 3.8.0
* Add homepage field to debian/control
* Remove cvsignore file
* Remove extra license file
* Depend on yui instead of using an embedded copy
-- Francois Marier <franc...@debian.org> Fri, 07 Nov 2008 08:24:28
+1300
moodle (1.8.2-1.3) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix broken HTML filtering which could be used to perform XSS attacks,
bypass restrictions or possibly execute arbitrary code
(CVE-2008-1502; Closes: #489533).
-- Nico Golde <n...@debian.org> Sun, 20 Jul 2008 18:07:55 +0200
--
Feature Freeze Exception: moodle 1.9.4-0ubuntu1
https://bugs.launchpad.net/bugs/334611
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-b...@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
--
universe-bugs mailing list
universe-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/universe-bugs
