Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On 03/11/2013 09:35 PM, Jonathan Wiltshire wrote: On Mon, Mar 11, 2013 at 06:43:02PM +0100, Tomasz Muras wrote: On 03/11/2013 05:22 PM, Jonathan Wiltshire wrote: Just to clarify before I do it: stable stays as it is; remove moodle from Wheezy and you will work on the basis of getting 2.5 into Jessie? Intermediate versions can always go into backports of course. On Mon, Mar 11, 2013 at 02:40:55PM -0400, Hubert Chathi wrote: On Mon, 11 Mar 2013 18:43:02 +0100, Tomasz Muras nexor1...@gmail.com said: Correct. 1.9 is still supported (it won't be for long) and can stay in stable. I am thinking that I would would package 2.5 and then 2.6 in unstable and do not let it migrate into testing - unless LTS upstream version is released. Does it make sense? Yes. AFAIK, if a package is not intended to go into testing, it should be in experimental rather than unstable. Unstable is fine. Protecting unstable doesn't make any sense for a package that isn't in testing anyway. When the freeze is lifted normal transition will take place. Great, sounds like a plan to me. I'll document it on http://wiki.debian.org/Moodle and update all interested. One thing I'm not sure about is what will happen to current users of moodle package. They have 1.9 in squeeze, there will be nothing in wheezy but then the package will appear back in jessie - but with no upgrade path. The only way to get moodle back will be to drop the package completely (and drop DB) and re-install it. Of course we could provide some manual instructions to install 2.2 package and then upgrade to 2.4. IIRC, technically, we wouldn't need to worry about upgrades, since we only need to do upgrades from the previous Debian release. Of course, that's not a very nice thing to do. One option is to provide a 2.2 deb package that they can download from some other repository (we could probably dump it somewhere in Alioth). That would probably be easier than having to install 2.2 via a non-deb method. And you could add a preinst script in the 2.5 package that would abort the upgrade if the user tries to upgrade from 1.9. This is why I suggest using wheezy-backports. Great, we're not promising any security updates in *-backports, so we can have: * Moodle 1.9 in squeeze * nothing in wheezy * Moodle 2.2 with security issues in wheezy-backports, just to cover for users that want to use it for the upgrade path * LTS (possibly 2.6) in unstable, with migration to testing blocked until the version is confirmed LTS. The preinst check seems like a good idea. Tomek -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On Tue, Mar 12, 2013 at 21:06:01 +0100, Tomasz Muras wrote: Great, we're not promising any security updates in *-backports, so we can have: * Moodle 1.9 in squeeze * nothing in wheezy * Moodle 2.2 with security issues in wheezy-backports, just to cover for users that want to use it for the upgrade path * LTS (possibly 2.6) in unstable, with migration to testing blocked until the version is confirmed LTS. The preinst check seems like a good idea. Not promising security support doesn't mean knowingly shipping stuff that doesn't (and won't) get any fixes is reasonable. Cheers, Julien signature.asc Description: Digital signature
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Hi Thomas, hi Release Team, hi Moodle maintainers. Le jeudi, 28 février 2013 18.00:19, Didier 'OdyX' Raboud a écrit : So please just re-issue a correctly-versionned Debian package and I'll upload it to unstable (then we'll take a look at the package for testing-proposed- updates). Given that: a) we fail at releasing Moodle updates to unstable in a timely manner (and I have my share of the fault here); b) we consequently fail at releasing Moodle security updates to wheezy in a timely manner (this unblock is opened for almost two months); c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything (not even security), according to [0]; Furthermore on that point, as far as I can see, there is noone taking responsibility to handle Moodle 2.2 security on the long term (Moodle in Wheezy will need to be security-handled for roughly three years, yet it is _already_ not supported). d) there is (in my opinion) not enough people behind the maintenance of Moodle-in-Debian: Thomas is a good DM, but he's mostly alone, and I'm not willing to get more involved. So as much as I find that unfortunate, I think that the best solution for all of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in Wheezy. Thomasz, as you're the actual de-facto maintainer, please voice your opinion as I have voiced mine: the decision is in the hands of the Release Team I guess. Cheers OdyX signature.asc Description: This is a digitally signed message part.
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Sorry, missed my footnote: Le lundi, 11 mars 2013 10.49:49, Didier 'OdyX' Raboud a écrit : c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything (not even security), according to [0]; [0] http://docs.moodle.org/dev/Releases#Moodle_2.2 That allows me to correct what I wrote earlier: Moodle 2.2 is not yet out- of-security support, but it will undoubtedly be from June 2013 on, which is still very early in the Wheezy-as-stable lifecycle. Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On 03/11/2013 10:49 AM, Didier 'OdyX' Raboud wrote: a) we fail at releasing Moodle updates to unstable in a timely manner (and I have my share of the fault here); b) we consequently fail at releasing Moodle security updates to wheezy in a timely manner (this unblock is opened for almost two months); c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything (not even security), according to [0]; Furthermore on that point, as far as I can see, there is noone taking responsibility to handle Moodle 2.2 security on the long term (Moodle in Wheezy will need to be security-handled for roughly three years, yet it is _already_ not supported). d) there is (in my opinion) not enough people behind the maintenance of Moodle-in-Debian: Thomas is a good DM, but he's mostly alone, and I'm not willing to get more involved. So as much as I find that unfortunate, I think that the best solution for all of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in Wheezy. Thomasz, as you're the actual de-facto maintainer, please voice your opinion as I have voiced mine: the decision is in the hands of the Release Team I guess. I have exactly the same concerns. Security fixes has been released for Moodle 2.2 today. I could cherry pick the patches and we could close this bug - not a big deal. They will probably be another security update for Moodle this year but that's it. Realistically speaking there is no way I can maintain security fixes for non-supported (by upstream) software this size. I have put Moodle 2.2 into Wheezy as that's the only possible upgrade path for Moodle (1.9 - 2.2 - 2.3+). By not shipping 2.2 in wheezy, we will break the upgrades for any current users. I don't see any other option though. There are talks in Moodle about making LTS version (e.g. 2.6LTS) - and that's probably the only reasonable way to maintain a high quality package like this in Debian. +1 for not shipping 2.2, breaking the upgrade path for this package, start from 2.5 (or higher) in unstable and provide Moodle LTS editions in Debian stable only. Tomek -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On 2013-03-11 10:18, Tomasz Muras wrote: On 03/11/2013 10:49 AM, Didier 'OdyX' Raboud wrote: a) we fail at releasing Moodle updates to unstable in a timely manner (and I have my share of the fault here); b) we consequently fail at releasing Moodle security updates to wheezy in a timely manner (this unblock is opened for almost two months); c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything (not even security), according to [0]; Furthermore on that point, as far as I can see, there is noone taking responsibility to handle Moodle 2.2 security on the long term (Moodle in Wheezy will need to be security-handled for roughly three years, yet it is _already_ not supported). d) there is (in my opinion) not enough people behind the maintenance of Moodle-in-Debian: Thomas is a good DM, but he's mostly alone, and I'm not willing to get more involved. So as much as I find that unfortunate, I think that the best solution for all of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in Wheezy. Thomasz, as you're the actual de-facto maintainer, please voice your opinion as I have voiced mine: the decision is in the hands of the Release Team I guess. I have exactly the same concerns. Security fixes has been released for Moodle 2.2 today. I could cherry pick the patches and we could close this bug - not a big deal. They will probably be another security update for Moodle this year but that's it. Realistically speaking there is no way I can maintain security fixes for non-supported (by upstream) software this size. I have put Moodle 2.2 into Wheezy as that's the only possible upgrade path for Moodle (1.9 - 2.2 - 2.3+). By not shipping 2.2 in wheezy, we will break the upgrades for any current users. I don't see any other option though. There are talks in Moodle about making LTS version (e.g. 2.6LTS) - and that's probably the only reasonable way to maintain a high quality package like this in Debian. We have found this elsewhere too (e.g. mediawiki, where they are moving to a six-month cycle but adding LTS releases for distributions). +1 for not shipping 2.2, breaking the upgrade path for this package, start from 2.5 (or higher) in unstable and provide Moodle LTS editions in Debian stable only. Just to clarify before I do it: stable stays as it is; remove moodle from Wheezy and you will work on the basis of getting 2.5 into Jessie? Intermediate versions can always go into backports of course. It is indeed unfortunate, but carrying security support on our own for that long does make me nervous. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On 03/11/2013 05:22 PM, Jonathan Wiltshire wrote: On 2013-03-11 10:18, Tomasz Muras wrote: On 03/11/2013 10:49 AM, Didier 'OdyX' Raboud wrote: So as much as I find that unfortunate, I think that the best solution for all of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in Wheezy. I have exactly the same concerns. Security fixes has been released for Moodle 2.2 today. I could cherry pick the patches and we could close this bug - not a big deal. They will probably be another security update for Moodle this year but that's it. Realistically speaking there is no way I can maintain security fixes for non-supported (by upstream) software this size. I have put Moodle 2.2 into Wheezy as that's the only possible upgrade path for Moodle (1.9 - 2.2 - 2.3+). By not shipping 2.2 in wheezy, we will break the upgrades for any current users. I don't see any other option though. There are talks in Moodle about making LTS version (e.g. 2.6LTS) - and that's probably the only reasonable way to maintain a high quality package like this in Debian. We have found this elsewhere too (e.g. mediawiki, where they are moving to a six-month cycle but adding LTS releases for distributions). +1 for not shipping 2.2, breaking the upgrade path for this package, start from 2.5 (or higher) in unstable and provide Moodle LTS editions in Debian stable only. Just to clarify before I do it: stable stays as it is; remove moodle from Wheezy and you will work on the basis of getting 2.5 into Jessie? Intermediate versions can always go into backports of course. Correct. 1.9 is still supported (it won't be for long) and can stay in stable. I am thinking that I would would package 2.5 and then 2.6 in unstable and do not let it migrate into testing - unless LTS upstream version is released. Does it make sense? One thing I'm not sure about is what will happen to current users of moodle package. They have 1.9 in squeeze, there will be nothing in wheezy but then the package will appear back in jessie - but with no upgrade path. The only way to get moodle back will be to drop the package completely (and drop DB) and re-install it. Of course we could provide some manual instructions to install 2.2 package and then upgrade to 2.4. Tomek -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: [moodle-packaging] Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On Mon, 11 Mar 2013 18:43:02 +0100, Tomasz Muras nexor1...@gmail.com said: Correct. 1.9 is still supported (it won't be for long) and can stay in stable. I am thinking that I would would package 2.5 and then 2.6 in unstable and do not let it migrate into testing - unless LTS upstream version is released. Does it make sense? AFAIK, if a package is not intended to go into testing, it should be in experimental rather than unstable. One thing I'm not sure about is what will happen to current users of moodle package. They have 1.9 in squeeze, there will be nothing in wheezy but then the package will appear back in jessie - but with no upgrade path. The only way to get moodle back will be to drop the package completely (and drop DB) and re-install it. Of course we could provide some manual instructions to install 2.2 package and then upgrade to 2.4. IIRC, technically, we wouldn't need to worry about upgrades, since we only need to do upgrades from the previous Debian release. Of course, that's not a very nice thing to do. One option is to provide a 2.2 deb package that they can download from some other repository (we could probably dump it somewhere in Alioth). That would probably be easier than having to install 2.2 via a non-deb method. And you could add a preinst script in the 2.5 package that would abort the upgrade if the user tries to upgrade from 1.9. -- Hubert Chathi uho...@debian.org -- Jabber: hub...@uhoreg.ca PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/ Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On Mon, Mar 11, 2013 at 06:43:02PM +0100, Tomasz Muras wrote: On 03/11/2013 05:22 PM, Jonathan Wiltshire wrote: Just to clarify before I do it: stable stays as it is; remove moodle from Wheezy and you will work on the basis of getting 2.5 into Jessie? Intermediate versions can always go into backports of course. On Mon, Mar 11, 2013 at 02:40:55PM -0400, Hubert Chathi wrote: On Mon, 11 Mar 2013 18:43:02 +0100, Tomasz Muras nexor1...@gmail.com said: Correct. 1.9 is still supported (it won't be for long) and can stay in stable. I am thinking that I would would package 2.5 and then 2.6 in unstable and do not let it migrate into testing - unless LTS upstream version is released. Does it make sense? Yes. AFAIK, if a package is not intended to go into testing, it should be in experimental rather than unstable. Unstable is fine. Protecting unstable doesn't make any sense for a package that isn't in testing anyway. When the freeze is lifted normal transition will take place. One thing I'm not sure about is what will happen to current users of moodle package. They have 1.9 in squeeze, there will be nothing in wheezy but then the package will appear back in jessie - but with no upgrade path. The only way to get moodle back will be to drop the package completely (and drop DB) and re-install it. Of course we could provide some manual instructions to install 2.2 package and then upgrade to 2.4. IIRC, technically, we wouldn't need to worry about upgrades, since we only need to do upgrades from the previous Debian release. Of course, that's not a very nice thing to do. One option is to provide a 2.2 deb package that they can download from some other repository (we could probably dump it somewhere in Alioth). That would probably be easier than having to install 2.2 via a non-deb method. And you could add a preinst script in the 2.5 package that would abort the upgrade if the user tries to upgrade from 1.9. This is why I suggest using wheezy-backports. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits signature.asc Description: Digital signature
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Hi Thomas, and thanks for this package, sorry for my misguided mail earlier, apparently yours just missed my inbox. Le lundi, 28 janvier 2013 18.38:49, Tomasz Muras a écrit : The package for unstable is available at: dget http://dev.agilesparkle.com/moodle_2.2.7.dfsg-1.dsc Please review upload to unstable. It contains all upstream fixes + CURL issue patch. One important thing: this is not Moodle 2.2.7. That's the weekly release of Moodle 2.2, released after 2.2.7. So the version is IMHO wrong and should instead be something like 2.2.7+20130125.dfsg-1 . Even if I usually try to stick to released tarballs, in the specific case of Moodle I'm fine with relasing weekly snapshots, but they must be versionned correctly. Other than that, the package looks good to me, besides the usual- but-not-worse-than-before embedded libraries such as TinyMCE (3.4.9, tiny_mce.js, tiny_mce_popup.js and tiny_mce_src.js), HTMLPurifier.php and YUI (3.4.1). So please just re-issue a correctly-versionned Debian package and I'll upload it to unstable (then we'll take a look at the package for testing-proposed- updates). OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Hi Thomasz, Le mercredi, 23 janvier 2013 23.57:39, Jonathan Wiltshire a écrit : Le samedi, 19 janvier 2013 14.37:39, Tomasz Muras a écrit : CVE numbers added, new changelog entry copied below for your convenience. MSA-13-0001 has no CVE assigned. Newest package available at: dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc Seems good to me; now waiting on the release team's opinion I would be happy to accept the patches proposed, but they need fixing in unstable first if they have not been already. Did you plan to prepare an update for Moodle 2.2 on unstable ? It would be good to get the latest security fixes in unstable soon and then to wheezy. Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On 01/23/2013 11:57 PM, Jonathan Wiltshire wrote: I would be happy to accept the patches proposed, but they need fixing in unstable first if they have not been already. You can go ahead and upload to t-p-u once the fixes reach unstable, and I will accept it after a few days to allow testing to take place. Hi Didier, The package for unstable is available at: dget http://dev.agilesparkle.com/moodle_2.2.7.dfsg-1.dsc Please review upload to unstable. It contains all upstream fixes + CURL issue patch. cheers, Tomek -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Control: tag -1 + confirmed Hi, On Sun, Jan 20, 2013 at 11:20:06AM +0100, Didier 'OdyX' Raboud wrote: Hi Tomasz, Le samedi, 19 janvier 2013 14.37:39, Tomasz Muras a écrit : CVE numbers added, new changelog entry copied below for your convenience. MSA-13-0001 has no CVE assigned. Newest package available at: dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc Seems good to me; now waiting on the release team's opinion I would be happy to accept the patches proposed, but they need fixing in unstable first if they have not been already. You can go ahead and upload to t-p-u once the fixes reach unstable, and I will accept it after a few days to allow testing to take place. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits signature.asc Description: Digital signature
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Hi Tomasz, Le samedi, 19 janvier 2013 14.37:39, Tomasz Muras a écrit : CVE numbers added, new changelog entry copied below for your convenience. MSA-13-0001 has no CVE assigned. Newest package available at: dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc Seems good to me; now waiting on the release team's opinion Please also prepare an update of Moodle 2.2.6+ for unstable to ensure that unstable gets the fixes targetted for Wheezy too. As unstable already diverged from the wheezy version, I think updating the unstable packaging to the latest 2.2 version is safe. I will also sponsor this version (after review, of course). I want to move to the latest 2.4 in unstable, I'm just waiting for wheezy to be released to continue packaging work. I needed 2.2 in stable only because the upgrade path is 1.9 - 2.2 - 2.4. Well… The policy is to have unstable at least as well supported security-wise as testing, so we need a latest 2.2 (or a 2.2 with backports of the fixes proposed for t-p-u) approximatively in sync with the t-p-u upload; ideally before. That said, I can prepare the 2.2 upload to unstable if you want, but I think it's a git merge away. Cheers, OdyX signature.asc Description: This is a digitally signed message part.
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On 01/17/2013 10:15 AM, Didier 'OdyX' Raboud wrote: Please include the CVEs in the changelog entry, as done for the latest entry: they are important for security problems tracking. They are available in the mail I forwarded to you in private. (CVE-2012-6098 to CVE-2012-6106). Hi Didier, CVE numbers added, new changelog entry copied below for your convenience. MSA-13-0001 has no CVE assigned. Newest package available at: dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low * Backport security issues from upstream Moodle 2.2.7. * MSA-13-0009: MDL-37467 - blog posts available via RSS after blogging disabled Fixes CVE-2012-6105 * MSA-13-0007: MDL-36600 - course message sending CSRF Fixes CVE-2012-6103 * MSA-13-0001: MDL-37283 - lack of sanitization for google spellchecker * MSA-13-0003: MDL-36977 - moodle backup paths not validated properly Fixes CVE-2012-6099 * MSA-13-0002: MDL-27619 - teachers can set outcomes to be standard when re-editing Fixes CVE-2012-6098 * MSA-13-0004: MDL-33340 - activity report showing lastaccess even if field hidden Fixes CVE-2012-6100 * MSA-13-0008: MDL-36620 - guest users can access RSS feed for site level blogs Fixes CVE-2012-6104 * MSA-13-0005: MDL-35991 - open redirect issues Fixes CVE-2012-6101 -- Tomasz Muras nexor1...@gmail.com Tue, 15 Jan 2013 20:43:50 +0100 Please also prepare an update of Moodle 2.2.6+ for unstable to ensure that unstable gets the fixes targetted for Wheezy too. As unstable already diverged from the wheezy version, I think updating the unstable packaging to the latest 2.2 version is safe. I will also sponsor this version (after review, of course). I want to move to the latest 2.4 in unstable, I'm just waiting for wheezy to be released to continue packaging work. I needed 2.2 in stable only because the upgrade path is 1.9 - 2.2 - 2.4. cheers, Tomek -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Control: retitle -1 tpu: package moodle/2.2.3.dfsg-2.6~wheezy2 (CC'ing the security team for information) Hi Thomasz, and thanks for this upload proposal, Le mardi, 15 janvier 2013 22.35:54, Tomasz Muras a écrit : Please unblock package moodle I am about to get new version of the package uploaded to testing-proposed-updates. The new version fixes a security issues from upstream release. I will sponsor this upload once and if it gets accepted by the release team. diff -Nru moodle-2.2.3.dfsg/debian/changelog moodle-2.2.3.dfsg/debian/changelog --- moodle-2.2.3.dfsg/debian/changelog2012-12-31 18:26:26.0 +0100 +++ moodle-2.2.3.dfsg/debian/changelog2013-01-15 22:29:57.0 +0100 @@ -1,3 +1,17 @@ +moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low + + * Backport security issues from upstream Moodle 2.2.7. +* MSA-13-0009: MDL-37467 - blog posts available via RSS after blogging disabled +* MSA-13-0007: MDL-36600 - course message sending CSRF +* MSA-13-0001: MDL-37283 - lack of sanitization for google spellchecker +* MSA-13-0003: MDL-36977 - moodle backup paths not validated properly +* MSA-13-0002: MDL-27619 - teachers can set outcomes to be standard when re-editing +* MSA-13-0004: MDL-33340 - activity report showing lastaccess even if field hidden +* MSA-13-0008: MDL-36620 - guest users can access RSS feed for site level blogs +* MSA-13-0005: MDL-35991 - open redirect issues + + -- Tomasz Muras nexor1...@gmail.com Tue, 15 Jan 2013 20:43:50 +0100 + Please include the CVEs in the changelog entry, as done for the latest entry: they are important for security problems tracking. They are available in the mail I forwarded to you in private. (CVE-2012-6098 to CVE-2012-6106). Please also prepare an update of Moodle 2.2.6+ for unstable to ensure that unstable gets the fixes targetted for Wheezy too. As unstable already diverged from the wheezy version, I think updating the unstable packaging to the latest 2.2 version is safe. I will also sponsor this version (after review, of course). Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Please unblock package moodle I am about to get new version of the package uploaded to testing-proposed-updates. The new version fixes a security issues from upstream release. diff -Nru moodle-2.2.3.dfsg/debian/changelog moodle-2.2.3.dfsg/debian/changelog --- moodle-2.2.3.dfsg/debian/changelog 2012-12-31 18:26:26.0 +0100 +++ moodle-2.2.3.dfsg/debian/changelog 2013-01-15 22:29:57.0 +0100 @@ -1,3 +1,17 @@ +moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low + + * Backport security issues from upstream Moodle 2.2.7. +* MSA-13-0009: MDL-37467 - blog posts available via RSS after blogging disabled +* MSA-13-0007: MDL-36600 - course message sending CSRF +* MSA-13-0001: MDL-37283 - lack of sanitization for google spellchecker +* MSA-13-0003: MDL-36977 - moodle backup paths not validated properly +* MSA-13-0002: MDL-27619 - teachers can set outcomes to be standard when re-editing +* MSA-13-0004: MDL-33340 - activity report showing lastaccess even if field hidden +* MSA-13-0008: MDL-36620 - guest users can access RSS feed for site level blogs +* MSA-13-0005: MDL-35991 - open redirect issues + + -- Tomasz Muras nexor1...@gmail.com Tue, 15 Jan 2013 20:43:50 +0100 + moodle (2.2.3.dfsg-2.6~wheezy1) testing-proposed-updates; urgency=low * Fix possible security issue for curl in 3rd party libraries: diff -Nru moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch --- moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch 1970-01-01 01:00:00.0 +0100 +++ moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch 2013-01-14 22:35:55.0 +0100 @@ -0,0 +1,21 @@ +commit 8c27cc95349a6cce073651ebbff9b44394d4ecb7 +Author: Paul Nicholls paul.nicho...@canterbury.ac.nz +Date: Mon Aug 13 12:51:30 2012 +1200 + +MDL-27619: Prevent teachers from turning course Outcomes into site-wide ones + +Similar to the issue which allowed teachers to create site-wide scales by editing a course-specific scale (MDL-24682), teachers could also promote a course-specific scale to a site-wide (standard) by editing it. As with MDL-24682, removing the course ID check (leaving just the capability check) prevents this unauthorised creation of site-wide (standard) outcomes. + +diff --git a/grade/edit/outcome/edit_form.php b/grade/edit/outcome/edit_form.php +index 6c1893e..a283f40 100644 +--- a/grade/edit/outcome/edit_form.php b/grade/edit/outcome/edit_form.php +@@ -114,7 +114,7 @@ class edit_outcome_form extends moodleform { + if (empty($courseid)) { + $mform-hardFreeze('standard'); + +-} else if (empty($outcome-courseid) and !has_capability('moodle/grade:manage', get_context_instance(CONTEXT_SYSTEM))) { ++} else if (!has_capability('moodle/grade:manage', get_context_instance(CONTEXT_SYSTEM))) { + $mform-hardFreeze('standard'); + + } else if ($coursecount and empty($outcome-courseid)) { diff -Nru moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch --- moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch 1970-01-01 01:00:00.0 +0100 +++ moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch 2013-01-14 22:35:58.0 +0100 @@ -0,0 +1,21 @@ +commit 53459511a96871583f6ed21517372b9bf4cbd96a +Author: Ankit Agarwal an...@moodle.com +Date: Mon Jun 25 14:10:42 2012 +0800 + +MDL-33340 completion: Incorrect logic in hidden field check + +Credit to Jody Steele + +diff --git a/report/outline/index.php b/report/outline/index.php +index c7abae3..7c82e66 100644 +--- a/report/outline/index.php b/report/outline/index.php +@@ -42,7 +42,7 @@ add_to_log($course-id, 'course', 'report outline', report/outline/index.php?id + $showlastaccess = true; + $hiddenfields = explode(',', $CFG-hiddenuserfields); + +-if (array_search('lastaccess', $hiddenfields) and !has_capability('moodle/user:viewhiddendetails', $context)) { ++if (array_search('lastaccess', $hiddenfields) !== false and !has_capability('moodle/user:viewhiddendetails', $context)) { + $showlastaccess = false; + } + diff -Nru moodle-2.2.3.dfsg/debian/patches/0024-MDL-35991_1-open-redirect-issues.patch moodle-2.2.3.dfsg/debian/patches/0024-MDL-35991_1-open-redirect-issues.patch ---