Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Tomasz Muras]

On 03/11/2013 09:35 PM, Jonathan Wiltshire wrote:

On Mon, Mar 11, 2013 at 06:43:02PM +0100, Tomasz Muras wrote:

On 03/11/2013 05:22 PM, Jonathan Wiltshire wrote:

Just to clarify before I do it: stable stays as it is; remove moodle

from Wheezy and you will work on the basis of getting 2.5 into Jessie?

Intermediate versions can always go into backports of course.



On Mon, Mar 11, 2013 at 02:40:55PM -0400, Hubert Chathi wrote:

On Mon, 11 Mar 2013 18:43:02 +0100, Tomasz Muras nexor1...@gmail.com said:


Correct. 1.9 is still supported (it won't be for long) and can stay in
stable.  I am thinking that I would would package 2.5 and then 2.6 in
unstable and do not let it migrate into testing - unless LTS upstream
version is released. Does it make sense?


Yes.


AFAIK, if a package is not intended to go into testing, it should be in
experimental rather than unstable.


Unstable is fine. Protecting unstable doesn't make any sense for a package
that isn't in testing anyway. When the freeze is lifted normal transition
will take place.


Great, sounds like a plan to me. I'll document it on 
http://wiki.debian.org/Moodle and update all interested.



One thing I'm not sure about is what will happen to current users of
moodle package. They have 1.9 in squeeze, there will be nothing in
wheezy but then the package will appear back in jessie - but with no
upgrade path. The only way to get moodle back will be to drop the
package completely (and drop DB) and re-install it. Of course we could
provide some manual instructions to install 2.2 package and then
upgrade to 2.4.


IIRC, technically, we wouldn't need to worry about upgrades, since we
only need to do upgrades from the previous Debian release.  Of course,
that's not a very nice thing to do.  One option is to provide a 2.2 deb
package that they can download from some other repository (we could
probably dump it somewhere in Alioth).  That would probably be easier
than having to install 2.2 via a non-deb method.  And you could add a
preinst script in the 2.5 package that would abort the upgrade if the
user tries to upgrade from 1.9.


This is why I suggest using wheezy-backports.


Great, we're not promising any security updates in *-backports, so we 
can have:

* Moodle 1.9 in squeeze
* nothing in wheezy
* Moodle 2.2 with security issues in wheezy-backports, just to cover for 
users that want to use it for the upgrade path
* LTS (possibly 2.6) in unstable, with migration to testing blocked 
until the version is confirmed LTS. The preinst check seems like a good 
idea.



Tomek


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Julien Cristau]

On Tue, Mar 12, 2013 at 21:06:01 +0100, Tomasz Muras wrote:

 Great, we're not promising any security updates in *-backports, so
 we can have:
 * Moodle 1.9 in squeeze
 * nothing in wheezy
 * Moodle 2.2 with security issues in wheezy-backports, just to cover
 for users that want to use it for the upgrade path
 * LTS (possibly 2.6) in unstable, with migration to testing blocked
 until the version is confirmed LTS. The preinst check seems like a
 good idea.
 
Not promising security support doesn't mean knowingly shipping stuff
that doesn't (and won't) get any fixes is reasonable.

Cheers,
Julien


signature.asc
Description: Digital signature

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Hi Thomas, hi Release Team, hi Moodle maintainers.

Le jeudi, 28 février 2013 18.00:19, Didier 'OdyX' Raboud a écrit :
 So please just re-issue a correctly-versionned Debian package and I'll
 upload it to unstable (then we'll take a look at the package for
 testing-proposed- updates).

Given that:

a) we fail at releasing Moodle updates to unstable in a timely manner (and I
   have my share of the fault here);
b) we consequently fail at releasing Moodle security updates to wheezy in a
   timely manner (this unblock is opened for almost two months);
c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything (not
   even security), according to [0];
   Furthermore on that point, as far as I can see, there is noone taking
   responsibility to handle Moodle 2.2 security on the long term (Moodle in
   Wheezy will need to be security-handled for roughly three years, yet it is
   _already_ not supported).
d) there is (in my opinion) not enough people behind the maintenance of
   Moodle-in-Debian: Thomas is a good DM, but he's mostly alone, and I'm not
   willing to get more involved.

So as much as I find that unfortunate, I think that the best solution for all 
of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in Wheezy.

Thomasz, as you're the actual de-facto maintainer, please voice your opinion 
as I have voiced mine: the decision is in the hands of the Release Team I 
guess.

Cheers

OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Sorry, missed my footnote:

Le lundi, 11 mars 2013 10.49:49, Didier 'OdyX' Raboud a écrit :
 c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything
 (not even security), according to [0];

[0] http://docs.moodle.org/dev/Releases#Moodle_2.2

That allows me to correct what I wrote earlier: Moodle 2.2 is not yet out-
of-security support, but it will undoubtedly be from June 2013 on, which is 
still very early in the Wheezy-as-stable lifecycle.

Cheers,

OdyX


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Tomasz Muras]

On 03/11/2013 10:49 AM, Didier 'OdyX' Raboud wrote:

a) we fail at releasing Moodle updates to unstable in a timely manner (and I
have my share of the fault here);
b) we consequently fail at releasing Moodle security updates to wheezy in a
timely manner (this unblock is opened for almost two months);
c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything (not
even security), according to [0];
Furthermore on that point, as far as I can see, there is noone taking
responsibility to handle Moodle 2.2 security on the long term (Moodle in
Wheezy will need to be security-handled for roughly three years, yet it is
_already_ not supported).
d) there is (in my opinion) not enough people behind the maintenance of
Moodle-in-Debian: Thomas is a good DM, but he's mostly alone, and I'm not
willing to get more involved.

So as much as I find that unfortunate, I think that the best solution for all
of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in Wheezy.

Thomasz, as you're the actual de-facto maintainer, please voice your opinion
as I have voiced mine: the decision is in the hands of the Release Team I
guess.


I have exactly the same concerns. Security fixes has been released for 
Moodle 2.2 today. I could cherry pick the patches and we could close 
this bug - not a big deal. They will probably be another security update 
for Moodle this year but that's it.


Realistically speaking there is no way I can maintain security fixes for 
non-supported (by upstream) software this size.


I have put Moodle 2.2 into Wheezy as that's the only possible upgrade 
path for Moodle (1.9 - 2.2 - 2.3+).


By not shipping 2.2 in wheezy, we will break the upgrades for any 
current users. I don't see any other option though. There are talks in 
Moodle about making LTS version (e.g. 2.6LTS) - and that's probably the 
only reasonable way to maintain a high quality package like this in Debian.


+1 for not shipping 2.2, breaking the upgrade path for this package, 
start from 2.5 (or higher) in unstable and provide Moodle LTS editions 
in Debian stable only.


Tomek


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Jonathan Wiltshire]

On 2013-03-11 10:18, Tomasz Muras wrote:

On 03/11/2013 10:49 AM, Didier 'OdyX' Raboud wrote:
a) we fail at releasing Moodle updates to unstable in a timely 
manner (and I

have my share of the fault here);
b) we consequently fail at releasing Moodle security updates to 
wheezy in a

timely manner (this unblock is opened for almost two months);
c) Moodle 2.2 is already not supported anymore by Moodle HQ for 
anything (not

even security), according to [0];
Furthermore on that point, as far as I can see, there is noone 
taking
responsibility to handle Moodle 2.2 security on the long term 
(Moodle in
Wheezy will need to be security-handled for roughly three years, 
yet it is

_already_ not supported).
d) there is (in my opinion) not enough people behind the maintenance 
of
Moodle-in-Debian: Thomas is a good DM, but he's mostly alone, 
and I'm not

willing to get more involved.

So as much as I find that unfortunate, I think that the best 
solution for all
of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in 
Wheezy.


Thomasz, as you're the actual de-facto maintainer, please voice your 
opinion
as I have voiced mine: the decision is in the hands of the Release 
Team I

guess.


I have exactly the same concerns. Security fixes has been released
for Moodle 2.2 today. I could cherry pick the patches and we could
close this bug - not a big deal. They will probably be another
security update for Moodle this year but that's it.

Realistically speaking there is no way I can maintain security fixes
for non-supported (by upstream) software this size.

I have put Moodle 2.2 into Wheezy as that's the only possible upgrade
path for Moodle (1.9 - 2.2 - 2.3+).

By not shipping 2.2 in wheezy, we will break the upgrades for any
current users. I don't see any other option though. There are talks 
in

Moodle about making LTS version (e.g. 2.6LTS) - and that's probably
the only reasonable way to maintain a high quality package like this
in Debian.


We have found this elsewhere too (e.g. mediawiki, where they are moving 
to a six-month cycle but adding LTS releases for distributions).



+1 for not shipping 2.2, breaking the upgrade path for this package,
start from 2.5 (or higher) in unstable and provide Moodle LTS 
editions

in Debian stable only.


Just to clarify before I do it: stable stays as it is; remove moodle 
from Wheezy and you will work on the basis of getting 2.5 into Jessie? 
Intermediate versions can always go into backports of course.


It is indeed unfortunate, but carrying security support on our own for 
that long does make me nervous.


Thanks,

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

directhex i have six years of solaris sysadmin experience, from
8-10. i am well qualified to say it is made from bonghits
layered on top of bonghits


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Tomasz Muras]

On 03/11/2013 05:22 PM, Jonathan Wiltshire wrote:

On 2013-03-11 10:18, Tomasz Muras wrote:

On 03/11/2013 10:49 AM, Didier 'OdyX' Raboud wrote:

So as much as I find that unfortunate, I think that the best solution
for all
of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in
Wheezy.

I have exactly the same concerns. Security fixes has been released
for Moodle 2.2 today. I could cherry pick the patches and we could
close this bug - not a big deal. They will probably be another
security update for Moodle this year but that's it.

Realistically speaking there is no way I can maintain security fixes
for non-supported (by upstream) software this size.

I have put Moodle 2.2 into Wheezy as that's the only possible upgrade
path for Moodle (1.9 - 2.2 - 2.3+).

By not shipping 2.2 in wheezy, we will break the upgrades for any
current users. I don't see any other option though. There are talks in
Moodle about making LTS version (e.g. 2.6LTS) - and that's probably
the only reasonable way to maintain a high quality package like this
in Debian.


We have found this elsewhere too (e.g. mediawiki, where they are moving
to a six-month cycle but adding LTS releases for distributions).


+1 for not shipping 2.2, breaking the upgrade path for this package,
start from 2.5 (or higher) in unstable and provide Moodle LTS editions
in Debian stable only.


Just to clarify before I do it: stable stays as it is; remove moodle
from Wheezy and you will work on the basis of getting 2.5 into Jessie?
Intermediate versions can always go into backports of course.


Correct. 1.9 is still supported (it won't be for long) and can stay in 
stable.
I am thinking that I would would package 2.5 and then 2.6 in unstable 
and do not let it migrate into testing - unless LTS upstream version is 
released. Does it make sense?


One thing I'm not sure about is what will happen to current users of 
moodle package. They have 1.9 in squeeze, there will be nothing in 
wheezy but then the package will appear back in jessie - but with no 
upgrade path. The only way to get moodle back will be to drop the 
package completely (and drop DB) and re-install it. Of course we could 
provide some manual instructions to install 2.2 package and then upgrade 
to 2.4.


Tomek


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: [moodle-packaging] Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Hubert Chathi]

On Mon, 11 Mar 2013 18:43:02 +0100, Tomasz Muras nexor1...@gmail.com said:

 Correct. 1.9 is still supported (it won't be for long) and can stay in
 stable.  I am thinking that I would would package 2.5 and then 2.6 in
 unstable and do not let it migrate into testing - unless LTS upstream
 version is released. Does it make sense?

AFAIK, if a package is not intended to go into testing, it should be in
experimental rather than unstable.

 One thing I'm not sure about is what will happen to current users of
 moodle package. They have 1.9 in squeeze, there will be nothing in
 wheezy but then the package will appear back in jessie - but with no
 upgrade path. The only way to get moodle back will be to drop the
 package completely (and drop DB) and re-install it. Of course we could
 provide some manual instructions to install 2.2 package and then
 upgrade to 2.4.

IIRC, technically, we wouldn't need to worry about upgrades, since we
only need to do upgrades from the previous Debian release.  Of course,
that's not a very nice thing to do.  One option is to provide a 2.2 deb
package that they can download from some other repository (we could
probably dump it somewhere in Alioth).  That would probably be easier
than having to install 2.2 via a non-deb method.  And you could add a
preinst script in the 2.5 package that would abort the upgrade if the
user tries to upgrade from 1.9.

-- 
Hubert Chathi uho...@debian.org -- Jabber: hub...@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Jonathan Wiltshire]

On Mon, Mar 11, 2013 at 06:43:02PM +0100, Tomasz Muras wrote:
 On 03/11/2013 05:22 PM, Jonathan Wiltshire wrote:
 Just to clarify before I do it: stable stays as it is; remove moodle
 from Wheezy and you will work on the basis of getting 2.5 into Jessie?
 Intermediate versions can always go into backports of course.
 
On Mon, Mar 11, 2013 at 02:40:55PM -0400, Hubert Chathi wrote:
 On Mon, 11 Mar 2013 18:43:02 +0100, Tomasz Muras nexor1...@gmail.com said:
 
  Correct. 1.9 is still supported (it won't be for long) and can stay in
  stable.  I am thinking that I would would package 2.5 and then 2.6 in
  unstable and do not let it migrate into testing - unless LTS upstream
  version is released. Does it make sense?

Yes.

 AFAIK, if a package is not intended to go into testing, it should be in
 experimental rather than unstable.

Unstable is fine. Protecting unstable doesn't make any sense for a package
that isn't in testing anyway. When the freeze is lifted normal transition
will take place.

  One thing I'm not sure about is what will happen to current users of
  moodle package. They have 1.9 in squeeze, there will be nothing in
  wheezy but then the package will appear back in jessie - but with no
  upgrade path. The only way to get moodle back will be to drop the
  package completely (and drop DB) and re-install it. Of course we could
  provide some manual instructions to install 2.2 package and then
  upgrade to 2.4.
 
 IIRC, technically, we wouldn't need to worry about upgrades, since we
 only need to do upgrades from the previous Debian release.  Of course,
 that's not a very nice thing to do.  One option is to provide a 2.2 deb
 package that they can download from some other repository (we could
 probably dump it somewhere in Alioth).  That would probably be easier
 than having to install 2.2 via a non-deb method.  And you could add a
 preinst script in the 2.5 package that would abort the upgrade if the
 user tries to upgrade from 1.9.

This is why I suggest using wheezy-backports.

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

directhex i have six years of solaris sysadmin experience, from
8-10. i am well qualified to say it is made from bonghits
layered on top of bonghits


signature.asc
Description: Digital signature

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Hi Thomas, and thanks for this package,

sorry for my misguided mail earlier, apparently yours just missed my inbox.

Le lundi, 28 janvier 2013 18.38:49, Tomasz Muras a écrit :
 The package for unstable is available at:
 dget http://dev.agilesparkle.com/moodle_2.2.7.dfsg-1.dsc
 
 Please review  upload to unstable. It contains all upstream fixes +
 CURL issue patch.

One important thing: this is not Moodle 2.2.7. That's the weekly release of 
Moodle 2.2, released after 2.2.7. So the version is IMHO wrong and should 
instead be something like 2.2.7+20130125.dfsg-1 .

Even if I usually try to stick to released tarballs, in the specific case of 
Moodle I'm fine with relasing weekly snapshots, but they must be versionned 
correctly. Other than that, the package looks good to me, besides the usual-
but-not-worse-than-before embedded libraries such as TinyMCE (3.4.9, 
tiny_mce.js, tiny_mce_popup.js and tiny_mce_src.js), HTMLPurifier.php and YUI 
(3.4.1).

So please just re-issue a correctly-versionned Debian package and I'll upload 
it to unstable (then we'll take a look at the package for testing-proposed-
updates).

OdyX


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Hi Thomasz,

Le mercredi, 23 janvier 2013 23.57:39, Jonathan Wiltshire a écrit :
  Le samedi, 19 janvier 2013 14.37:39, Tomasz Muras a écrit :
   CVE numbers added, new changelog entry copied below for your
   convenience. MSA-13-0001 has no CVE assigned. Newest package available
   at: dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc
  
  Seems good to me; now waiting on the release team's opinion
 
 I would be happy to accept the patches proposed, but they need fixing in
 unstable first if they have not been already.

Did you plan to prepare an update for Moodle 2.2 on unstable ? It would be 
good to get the latest security fixes in unstable soon and then to wheezy.

Cheers,

OdyX


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Tomasz Muras]

On 01/23/2013 11:57 PM, Jonathan Wiltshire wrote:

I would be happy to accept the patches proposed, but they need fixing in
unstable first if they have not been already.

You can go ahead and upload to t-p-u once the fixes reach unstable, and I
will accept it after a few days to allow testing to take place.


Hi Didier,

The package for unstable is available at:
dget http://dev.agilesparkle.com/moodle_2.2.7.dfsg-1.dsc

Please review  upload to unstable. It contains all upstream fixes + 
CURL issue patch.


cheers,
Tomek


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Jonathan Wiltshire]

Control: tag -1 + confirmed

Hi,

On Sun, Jan 20, 2013 at 11:20:06AM +0100, Didier 'OdyX' Raboud wrote:
 Hi Tomasz,
 
 Le samedi, 19 janvier 2013 14.37:39, Tomasz Muras a écrit :
  CVE numbers added, new changelog entry copied below for your
  convenience. MSA-13-0001 has no CVE assigned. Newest package available at:
  dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc
 
 Seems good to me; now waiting on the release team's opinion

I would be happy to accept the patches proposed, but they need fixing in
unstable first if they have not been already.

You can go ahead and upload to t-p-u once the fixes reach unstable, and I
will accept it after a few days to allow testing to take place.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

directhex i have six years of solaris sysadmin experience, from
8-10. i am well qualified to say it is made from bonghits
layered on top of bonghits


signature.asc
Description: Digital signature

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Hi Tomasz,

Le samedi, 19 janvier 2013 14.37:39, Tomasz Muras a écrit :
 CVE numbers added, new changelog entry copied below for your
 convenience. MSA-13-0001 has no CVE assigned. Newest package available at:
 dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc

Seems good to me; now waiting on the release team's opinion

  Please also prepare an update of Moodle 2.2.6+ for unstable to ensure
  that unstable gets the fixes targetted for Wheezy too. As unstable
  already diverged from the wheezy version, I think updating the unstable
  packaging to the latest 2.2 version is safe. I will also sponsor this
  version (after review, of course).
 
 I want to move to the latest 2.4 in unstable, I'm just waiting for
 wheezy to be released to continue packaging work. I needed 2.2 in stable
 only because the upgrade path is 1.9 - 2.2 - 2.4.

Well… The policy is to have unstable at least as well supported security-wise 
as testing, so we need a latest 2.2 (or a 2.2 with backports of the fixes 
proposed for t-p-u) approximatively in sync with the t-p-u upload; ideally 
before.

That said, I can prepare the 2.2 upload to unstable if you want, but I think 
it's a git merge away.

Cheers,

OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Tomasz Muras]

On 01/17/2013 10:15 AM, Didier 'OdyX' Raboud wrote:

Please include the CVEs in the changelog entry, as done for the latest entry:
they are important for security problems tracking. They are available in the
mail I forwarded to you in private. (CVE-2012-6098 to CVE-2012-6106).


Hi Didier,

CVE numbers added, new changelog entry copied below for your 
convenience. MSA-13-0001 has no CVE assigned. Newest package available at:

dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc

moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low

  * Backport security issues from upstream Moodle 2.2.7.
* MSA-13-0009: MDL-37467 - blog posts available via RSS after 
blogging disabled

  Fixes CVE-2012-6105
* MSA-13-0007: MDL-36600 - course message sending CSRF
  Fixes CVE-2012-6103
* MSA-13-0001: MDL-37283 - lack of sanitization for google spellchecker
* MSA-13-0003: MDL-36977 - moodle backup paths not validated properly
  Fixes CVE-2012-6099
* MSA-13-0002: MDL-27619 - teachers can set outcomes to be standard 
when re-editing

  Fixes CVE-2012-6098
* MSA-13-0004: MDL-33340 - activity report showing lastaccess even 
if field hidden

  Fixes CVE-2012-6100
* MSA-13-0008: MDL-36620 - guest users can access RSS feed for site 
level blogs

  Fixes CVE-2012-6104
* MSA-13-0005: MDL-35991 - open redirect issues
  Fixes CVE-2012-6101

 -- Tomasz Muras nexor1...@gmail.com  Tue, 15 Jan 2013 20:43:50 +0100



Please also prepare an update of Moodle 2.2.6+ for unstable to ensure that
unstable gets the fixes targetted for Wheezy too. As unstable already diverged
from the wheezy version, I think updating the unstable packaging to the latest
2.2 version is safe. I will also sponsor this version (after review, of
course).


I want to move to the latest 2.4 in unstable, I'm just waiting for 
wheezy to be released to continue packaging work. I needed 2.2 in stable 
only because the upgrade path is 1.9 - 2.2 - 2.4.


cheers,
Tomek


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Control: retitle -1 tpu: package moodle/2.2.3.dfsg-2.6~wheezy2

(CC'ing the security team for information)

Hi Thomasz, and thanks for this upload proposal,

Le mardi, 15 janvier 2013 22.35:54, Tomasz Muras a écrit :
 Please unblock package moodle
 
 I am about to get new version of the package uploaded to
 testing-proposed-updates. The new version fixes a security issues from
 upstream release.

I will sponsor this upload once and if it gets accepted by the release team.

 diff -Nru moodle-2.2.3.dfsg/debian/changelog
 moodle-2.2.3.dfsg/debian/changelog
 --- moodle-2.2.3.dfsg/debian/changelog2012-12-31 18:26:26.0 
 +0100
 +++ moodle-2.2.3.dfsg/debian/changelog2013-01-15 22:29:57.0 
 +0100
 @@ -1,3 +1,17 @@
 +moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low
 +
 +  * Backport security issues from upstream Moodle 2.2.7.
 +* MSA-13-0009: MDL-37467 - blog posts available via RSS after
 blogging disabled
 +* MSA-13-0007: MDL-36600 - course message sending CSRF
 +* MSA-13-0001: MDL-37283 - lack of sanitization for google
 spellchecker +* MSA-13-0003: MDL-36977 - moodle backup paths not
 validated properly +* MSA-13-0002: MDL-27619 - teachers can set
 outcomes to be standard when re-editing
 +* MSA-13-0004: MDL-33340 - activity report showing lastaccess even
 if field hidden
 +* MSA-13-0008: MDL-36620 - guest users can access RSS feed for site
 level blogs
 +* MSA-13-0005: MDL-35991 - open redirect issues
 +
 + -- Tomasz Muras nexor1...@gmail.com  Tue, 15 Jan 2013 20:43:50 +0100
 +

Please include the CVEs in the changelog entry, as done for the latest entry: 
they are important for security problems tracking. They are available in the 
mail I forwarded to you in private. (CVE-2012-6098 to CVE-2012-6106).

Please also prepare an update of Moodle 2.2.6+ for unstable to ensure that 
unstable gets the fixes targetted for Wheezy too. As unstable already diverged 
from the wheezy version, I think updating the unstable packaging to the latest 
2.2 version is safe. I will also sponsor this version (after review, of 
course).

Cheers,

OdyX


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Tomasz Muras]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package moodle

I am about to get new version of the package uploaded to
testing-proposed-updates. The new version fixes a security issues from 
upstream release.


diff -Nru moodle-2.2.3.dfsg/debian/changelog 
moodle-2.2.3.dfsg/debian/changelog

--- moodle-2.2.3.dfsg/debian/changelog  2012-12-31 18:26:26.0 +0100
+++ moodle-2.2.3.dfsg/debian/changelog  2013-01-15 22:29:57.0 +0100
@@ -1,3 +1,17 @@
+moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low
+
+  * Backport security issues from upstream Moodle 2.2.7.
+* MSA-13-0009: MDL-37467 - blog posts available via RSS after 
blogging disabled

+* MSA-13-0007: MDL-36600 - course message sending CSRF
+* MSA-13-0001: MDL-37283 - lack of sanitization for google spellchecker
+* MSA-13-0003: MDL-36977 - moodle backup paths not validated properly
+* MSA-13-0002: MDL-27619 - teachers can set outcomes to be standard 
when re-editing
+* MSA-13-0004: MDL-33340 - activity report showing lastaccess even 
if field hidden
+* MSA-13-0008: MDL-36620 - guest users can access RSS feed for site 
level blogs

+* MSA-13-0005: MDL-35991 - open redirect issues
+
+ -- Tomasz Muras nexor1...@gmail.com  Tue, 15 Jan 2013 20:43:50 +0100
+
 moodle (2.2.3.dfsg-2.6~wheezy1) testing-proposed-updates; urgency=low

   * Fix possible security issue for curl in 3rd party libraries:
diff -Nru 
moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch 
moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch
--- 
moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch 
1970-01-01 01:00:00.0 +0100
+++ 
moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch 
2013-01-14 22:35:55.0 +0100

@@ -0,0 +1,21 @@
+commit 8c27cc95349a6cce073651ebbff9b44394d4ecb7
+Author: Paul Nicholls paul.nicho...@canterbury.ac.nz
+Date:   Mon Aug 13 12:51:30 2012 +1200
+
+MDL-27619: Prevent teachers from turning course Outcomes into 
site-wide ones

+
+Similar to the issue which allowed teachers to create site-wide 
scales by editing a course-specific scale (MDL-24682), teachers could 
also promote a course-specific scale to a site-wide (standard) by 
editing it.  As with MDL-24682, removing the course ID check (leaving 
just the capability check) prevents this unauthorised creation of 
site-wide (standard) outcomes.

+
+diff --git a/grade/edit/outcome/edit_form.php 
b/grade/edit/outcome/edit_form.php

+index 6c1893e..a283f40 100644
+--- a/grade/edit/outcome/edit_form.php
 b/grade/edit/outcome/edit_form.php
+@@ -114,7 +114,7 @@ class edit_outcome_form extends moodleform {
+ if (empty($courseid)) {
+ $mform-hardFreeze('standard');
+
+-} else if (empty($outcome-courseid) and 
!has_capability('moodle/grade:manage', 
get_context_instance(CONTEXT_SYSTEM))) {
++} else if (!has_capability('moodle/grade:manage', 
get_context_instance(CONTEXT_SYSTEM))) {

+ $mform-hardFreeze('standard');
+
+ } else if ($coursecount and empty($outcome-courseid)) {
diff -Nru 
moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch 
moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch
--- 
moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch 
1970-01-01 01:00:00.0 +0100
+++ 
moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch 
2013-01-14 22:35:58.0 +0100

@@ -0,0 +1,21 @@
+commit 53459511a96871583f6ed21517372b9bf4cbd96a
+Author: Ankit Agarwal an...@moodle.com
+Date:   Mon Jun 25 14:10:42 2012 +0800
+
+MDL-33340 completion: Incorrect logic in hidden field check
+
+Credit to Jody Steele
+
+diff --git a/report/outline/index.php b/report/outline/index.php
+index c7abae3..7c82e66 100644
+--- a/report/outline/index.php
 b/report/outline/index.php
+@@ -42,7 +42,7 @@ add_to_log($course-id, 'course', 'report outline', 
report/outline/index.php?id

+ $showlastaccess = true;
+ $hiddenfields = explode(',', $CFG-hiddenuserfields);
+
+-if (array_search('lastaccess', $hiddenfields) and 
!has_capability('moodle/user:viewhiddendetails', $context)) {
++if (array_search('lastaccess', $hiddenfields) !== false and 
!has_capability('moodle/user:viewhiddendetails', $context)) {

+ $showlastaccess = false;
+ }
+
diff -Nru 
moodle-2.2.3.dfsg/debian/patches/0024-MDL-35991_1-open-redirect-issues.patch 
moodle-2.2.3.dfsg/debian/patches/0024-MDL-35991_1-open-redirect-issues.patch
---