Your message dated Sat, 03 Jan 2009 19:52:25 +0000
with message-id <e1ljcxp-0000zc...@ries.debian.org>
and subject line Bug#471158: fixed in moodle 1.6.3-2+etch1
has caused the Debian Bug report #471158,
regarding ships embedded copy of smarty with security bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
471158: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471158
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: moodle
Severity: grave
Tags: security patch
Hi,
A security issue has been discovered in Smarty which is also shipped as part
of Moodle:
| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.
Please see the original bug in Smarty here: #469492. The patch is very
straigtforward.
The right solution here is to not ship Smarty as part of Moodle but make use
of the smarty package that is already in the archive, because the security
team now has to issue multiple DSA's for this single issue which is obviously
problematic.
Could you please take the following actions:
* To address this bug for lenny and sid, please prepare a version of Moodle
that works with the archive version of smarty;
* For sarge and etch, please prepare updated packages addressing this bug and
#432264, which is also still open in sarge/etch.
thanks,
Thijs
pgpIjvOu8NYIg.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: moodle
Source-Version: 1.6.3-2+etch1
We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:
moodle_1.6.3-2+etch1.diff.gz
to pool/main/m/moodle/moodle_1.6.3-2+etch1.diff.gz
moodle_1.6.3-2+etch1.dsc
to pool/main/m/moodle/moodle_1.6.3-2+etch1.dsc
moodle_1.6.3-2+etch1_all.deb
to pool/main/m/moodle/moodle_1.6.3-2+etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 471...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francois Marier <franc...@debian.org> (supplier of updated moodle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 17 Dec 2008 14:38:28 +1300
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.6.3-2+etch1
Distribution: stable-security
Urgency: high
Maintainer: Moodle Packaging Team <moodle-packag...@catalyst.net.nz>
Changed-By: Francois Marier <franc...@debian.org>
Description:
moodle - Course Management System for Online Learning
Closes: 429190 429339 432264 471158 489533 492492 494642 504235 504345 508593
Changes:
moodle (1.6.3-2+etch1) stable-security; urgency=high
.
* Adopt orphaned package (closes: #494642)
.
[ Francois Marier ]
* Fix vulnerabilities in embedded copy of smarty
(CVE-2008-1066, CVE-2008-4811, CVE-2008-4810)
(closes: #471158, #504345)
* Patch snoopy input sanitising (CVE-2008-4796, closes: #504235)
* Patch XSS scripting bug in blog/edit (CVE-2008-3326, closes: #492492)
* Patch CSRF in edit profile page (CVE-2008-3325)
* Patch XSS bug in kses (CVE-2008-1502, closes: #489533)
* Patch XSS bug in user search page (CVE-2007-3555, closes: #432264)
* Patch security bug in the embedded (and customised) copy of phpmailer
(CVE-2007-3215, closes: #429339, #429190)
.
[ Dan Poltawski ]
* Patch SQL injection bug in hotpot module (MSA-08-0010)
* Patch privilege escalation bug in moodle core (MSA-08-0001)
* Patch CSRF bug in message settings page (MSA-08-0023)
* Patch XSS bug in wiki page titles (CVE-2008-5432, closes: #508593)
* Patch XSS bug in string cleaning functions (MSA-08-0021)
* Patch XSS bug in RSS feeds
* Fix parameter cleaning in forum user page
* Fix critical security hole which allows any user to reset a users
password (MDL-7755)
* Fix XSS bug in login block (MDL-8849)
* Fix insufficient cleaning of PARAM_HOST (MDL-12793)
* Fix XSS bug in logged urls (MDL-11414)
* Fix uncleaned params in wiki (MDL-14806)
* Fix text cleaning (MDL-10276)
Files:
d9a1fceaf316b608709be372d97e667a 793 web optional moodle_1.6.3-2+etch1.dsc
2f9f3fcf83ab0f18c409f3a48e07eae2 7465709 web optional moodle_1.6.3.orig.tar.gz
d29c179786ca1dcadf232c5e9a601362 24019 web optional
moodle_1.6.3-2+etch1.diff.gz
9a5fb5924faa639952c3171665bc347d 6592474 web optional
moodle_1.6.3-2+etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJSXpJScUZKBnQNIYRAgkFAJ48I/8WdCMlHOtKE/sCCokWC0QoQQCgoAPn
tNg4aPFgcra3nrjVkfxD/oA=
=XHA/
-----END PGP SIGNATURE-----
--- End Message ---
