Accepted moodle 2.7.10+dfsg-1 (source all) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 21 Sep 2015 09:52:15 +0200
Source: moodle
Binary: moodle
Architecture: source all
Version: 2.7.10+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Moodle Packaging Team <pkg-moodle-maintainers@lists.alioth.debian.org>
Changed-By: Joost van Baal-Ilić <joostvb@debian.org>
Description:
moodle - course management system for online learning
Closes: 746594 749609 752615 775842 778422 785591 792242 799634
Changes:
moodle (2.7.10+dfsg-1) unstable; urgency=high
.
* New upstream security release, released Sept 21, 2015. Note that the
upstream 2.7 branch is now supported for security fixes only until May 2017
(LTS). Security issues fixed:
- MSA-15-0030: Students can re-attempt answering questions in the lesson,
Reported by Eric Eakin, MDL-50516, CVE-2015-5264
- MSA-15-0031: Teacher in forum can still post to "all participants" and
groups they are not members of, Reported by David Scotson, MDL-50576,
CVE-2015-5272
- MSA-15-0032: Users can delete files uploaded by other users in wiki,
Reported by John Provasnik, MDL-48371, CVE-2015-5265
- MSA-15-0033: Meta course synchronisation enrols suspended students as
managers for a short period of time, Reported by Brian Winstead,
MDL-50744, CVE-2015-5266
- MSA-15-0034: Vulnerability in password recovery mechanism, Reported by
Vincent Herbulot (@us3r777), MDL-50860, CVE-2015-5267
- MSA-15-0035: Rating component does not check separate groups, Reported by
Juan Leyva, MDL-50173, CVE-2015-5268
- MSA-15-0036: XSS in grouping description, Reported by Marina Glancy,
MDL-50709, CVE-2015-5269
See the 21 Sep 2015 post from Marina Glancy at
http://www.openwall.com/lists/oss-security/2015/09/21/1 for more details on
these fixed security issues. Some other fixes and improvements: MDL-51050
- Forms such as "Create new group" are no longer populated with passwords
and usernames by the browsers; MDL-42670 - Recent activity block no longer
shows student name when assignment blind marking is on. See
https://docs.moodle.org/dev/Moodle_2.7.10_release_notes for more details.
Thanks Salvatore Bonaccorso and Thijs Kinkhorst for forwarding the news.
Closes: #799634
* debian/source/lintian-overrides: add comment/comment.js, some
lib/yuilib/3.15.0/**/*-debug.js and
lib/yuilib/2in3/2.9.0/build/yui2-*/*-debug.js files to list of false
positives "source-is-missing". Bug #799861 reported against lintian.
* debian/copyright: clarify license situation of
lib/pear/HTML/QuickForm/DHTMLRulesTableless.php and
lib/pear/HTML/QuickForm/Renderer/Tableless.php. Thanks
Ondřej Surý and Paul Tagliamonte. Closes: #752615
* debian/control: no longer depend upon libphp-pclzip. This dependency was
actually no longer needed since 2.7.5+dfsg-3, when phpexcel got removed.
Thanks David Prévot. Closes: #749609
* debian/changelog: fix entry for 2.7.5+dfsg-3 to properly close 746594.
See also https://tracker.moodle.org/browse/MDL-45395 . Thanks Dan Poltawski
e.a.
.
moodle (2.7.9+dfsg-1) unstable; urgency=high
.
* New upstream security release, released July 6, 2015. Note that the upstream
2.7 branch is now supported for security fixes only until May 2017 (LTS).
Security issues fixed:
- MSA-15-0026 Possible phishing when redirecting to external site using
referer header, Reported by Totara, MDL-50688, CVE-2015-3272
- MSA-15-0028 Possible XSS through custom text profile fields in Web
Services, Reported by Marina Glancy, MDL-50130, CVE-2015-3274
- MSA-15-0029 Javascript injection in SCORM module, Reported by Martin
Greenaway, MDL-50614, CVE-2015-3275
See http://www.openwall.com/lists/oss-security/2015/07/13/2 for more details
on these fixed security issues. Some other fixes and improvements:
MDL-50380 - Fixed missing parameter error when editing files in wiki;
MDL-50177 - Upgrading assignments in 2.7/2.8 works even when conditional
access is used; MDL-50275 - Added missing version bump after risk bitmap
change in MDL-49941. See the Moodle 2.7.9 release notes at
https://docs.moodle.org/dev/Moodle_2.7.9_release_notes for more details.
Thanks Salvatore Bonaccorso. Closes: #792242
* debian/changelog: fix line length: max 80 columns.
.
moodle (2.7.8+dfsg-1) unstable; urgency=high
.
* New upstream security release, released 11 May 2015. Security issues
fixed:
- MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare
that, Reported by Hugh Davenport, MDL-49941, CVE-2015-3174
- MSA-15-0019: Possible phishing when redirecting to external site using
referer header, Reported by Dingjie Yang, MDL-49179, CVE-2015-3175
- MSA-15-0020: User fullname disclosure through account confirmation link,
Reported by: Federico Kirschbaum, MDL-50099, CVE-2015-3176
- MSA-15-0022: Potential XSS risk when returning text entered by student
from Web Services, Reported by Eloy Lafuente, MDL-49718, CVE-2015-3178
- MSA-15-0023: Suspended user is able to login when confirming email,
Reported by Marina Glancy, MDL-50090, CVE-2015-3179
- MSA-15-0024: User with suspended enrolment can see sections in the
navigation tree, Reported by Alex Mitin, MDL-49788, CVE-2015-3180
- MSA-15-0025: Capability to manage own files is not respected in Web
Services, Reported by Juan Leyva, MDL-49994, CVE-2015-3181
See http://www.openwall.com/lists/oss-security/2015/05/18/1 for more details
on these fixed security issues. Some other fixes: MDL-48187 - Fixed problem
with new items automatically marked as extra credit in SWM category in
Gradebook; MDL-42449 - Grade category is preserved when duplicating a
module; MDL-46746, MDL-47003, MDL-47002 - Atto editor HTML cleaning is less
aggressive and more aware of special tags, especially noticeable when
pasting text from Word. See the Moodle 2.7.8 release notes at
https://docs.moodle.org/dev/Moodle_2.7.8_release_notes for more details.
Thanks Salvatore Bonaccorso. Closes: #785591
* debian/watch: fix syntax.
.
moodle (2.7.7+dfsg-2) unstable; urgency=high
.
* debian/install: now installs scripts mdeploy.php and mdeploytest.php.
* debian/install: now installs the directory "availability", thanks Maarten
Horden and Oscar Diaz (Closes: #778422).
* debian/changelog: Add some extra information on issues fixed in entry
moodle (2.7.7+dfsg-1)), thanks Marina Glancy and Thijs Kinkhorst.
* debian/changelog: Add some extra information on CVE-2013-3630 in entry
moodle (2.7.5+dfsg-3), thanks Marina Glancy.
.
moodle (2.7.7+dfsg-1) unstable; urgency=high
.
* New upstream security release, released 10 March 2015. (Moodle 2.7.6 was
released 9 March 2015). Issues fixed:
- MSA-15-0010: Personal contacts and number of unread messages can be
revealed, Reported by Barry Oosthuizen, MDL-49204, CVE-2015-2266
- MSA-15-0011: Authentication in mdeploy can be bypassed. Reported by
Frédéric Massart, MDL-49087 CVE-2015-2267
- MSA-15-0012: ReDoS Possible with Convert links to URLs filter. Reported by
Rob, MDL-38466, CVE-2015-2268
- MSA-15-0013: Block title not properly escaped and may cause HTML
injection. Reported by Gjoko Krstic, MDL-49144, CVE-2015-2269
- MSA-15-0014: Potential information disclosure for the inaccessible
courses. Reported by Sam Hemelryk, MDL-48804, CVE-2015-2270
- MSA-15-0015: User without proper permission is able to mark the tag as
inappropriate, Reported by Frédéric Massart, MDL-49084, CVE-2015-2271
- MSA-15-0016: Web services token can be created for user with temporary
password. Reported by Juan Leyva, MDL-48691, CVE-2015-2272
- MSA-15-0017: XSS in quiz statistics report. Reported by Tim Hunt,
MDL-49364, CVE-2015-2273
* debian/changelog: enhance 2.7.2-1 entry: add note on upstream long term
support of this 2.7 branch.
* debian/TODO: add some build instructions.
* debian/control: more strict php-cas dependency: known to break with
1.3.1-4+deb7u1, known to work with 1.3.3-1.
.
moodle (2.7.5+dfsg-3) unstable; urgency=high
.
* debian/README.Debian: add authors and dates, in order to make status more
clear.
* debian/watch: (trying to) get it working again, with revamped moodle.org
website.
* debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1.
* For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630
will not get fixed: it's not a bug: the attack can only get launched by an
administrator, and administrators need to be trusted. Sites that provide
shared hosting and want to prevent the Moodle admin user from being able to
set executable paths can also use: "$CFG->preventexecpath = true;". See
also Debian bug #775842 and Moodle issue MDL-41449.
* Fix CVE-2014-4172 and CVE-2014-2054:
- debian/rules, debian/control: don't use CAS client library as shipped with
moodle (unchanged phpCAS 1.3.3, see upstream
auth/cas/CAS/moodle_readme.txt) but php-cas as shipped with Debian
(1.3.3-1 and 1.3.1-4+deb7u1); create symlinks /u/s/m/auth/cas/CAS/CAS.php
-> /usr/share/php/CAS.php and /u/s/m/auth/cas/CAS/CAS ->
/usr/share/php/CAS/. This fixes CVE-2014-4172.
- debian/rules: remove /u/s/m/lib/phpexcel from binary package. Remove
lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources. This fixes both
a license problem and a security problem: Although the PHP license is
generally agreed to be DFSG-free, using it as a license on anything that
isn't PHP itself makes the result non-free. PHP OLE is licensed under the
PHP license. Older versions of PHP Excel, such as the one shipped with
moodle, suffer from security problem CVE-2014-2054. See also Debian Bug
#718585 "RFP: php-excel". (Closes: #746594)
This closed Debian bug "Multiple security issues"; thanks Moritz
Muehlenhoff, Thijs Kinkhorst and Hubert Chathi (Closes: #775842)
Checksums-Sha1:
486d1aecb4ad26b67eeeec92050c9aef46f0ced8 1725 moodle_2.7.10+dfsg-1.dsc
6386157e42550534aed3a1f44a821859cc40c611 34992383 moodle_2.7.10+dfsg.orig.tar.gz
45f2ae58b6d34a95599ca5dd9942aeecac46c491 72212992 moodle_2.7.10+dfsg-1.debian.tar.xz
71f5abc352b1bdef05dc4088df477e8155fb27b6 15415222 moodle_2.7.10+dfsg-1_all.deb
Checksums-Sha256:
938854a7282e581ddbcb58e90cbb5e2d30abe89f93e3e073ccc70b2cd2358b21 1725 moodle_2.7.10+dfsg-1.dsc
7402c5dd3cd490d7747a6da7955e3de2e99933ede743e7b6cf68d9c02c92fa1b 34992383 moodle_2.7.10+dfsg.orig.tar.gz
460bacfd431b6adc1eab608f0a33640d0be4055f2f2fc3ee626f5752a67fa7f5 72212992 moodle_2.7.10+dfsg-1.debian.tar.xz
024f1887cc3bfa0c85df7979402870d34670141371154ae90f6f6401a3cf091b 15415222 moodle_2.7.10+dfsg-1_all.deb
Files:
807bc24231c0db678e1d9d13770d7760 1725 web optional moodle_2.7.10+dfsg-1.dsc
2156effe57b122ab058a3b7410b3a98f 34992383 web optional moodle_2.7.10+dfsg.orig.tar.gz
a4337310fe47fccd55d8976a7baf747d 72212992 web optional moodle_2.7.10+dfsg-1.debian.tar.xz
a9224ab98ff0df1585368801332ff2a9 15415222 web optional moodle_2.7.10+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJWCPigAAoJEDNRenKl5rDIJ5QIAKNn5Au1z2vH0yao3iQr8Nv9
16wcR8RfR0w9yM1/zRhdBDR5UkakNvT58CO8TjsUa9n5xe6JeomsIILtlEb0boIS
4uczMnffBBYXxjFEj8GF+dUfRClyOkh1YMUdoxdhxA5M1YnhExFz2eo2JusZ+s9Z
x2EO5F/l9UK0tryAOo2gSi/bX21de/97LxhwOQGhGeG6IGg2+ORLpYCZd64+mEnP
3YgiYT8ozvm77sGbxhjGq2CBOqjHHQzsJP+XeZUSvJBU9LhYCnlSXH9ki8JiP/Wy
Xk0iujDpu1CVCkl0QKcGzh/U6I4qFRM9Mo7y9oygxMDLIceK7/MW5vfl9nCVaJc=
=Zq43
-----END PGP SIGNATURE-----