Your message dated Fri, 28 Dec 2012 21:43:42 +0100
with message-id <[email protected]>
and subject line moodle/2.2.3.dfsg-2.6~wheezy0 entered wheezy
has caused the Debian Bug report #695804,
regarding unblock: moodle/2.2.3.dfsg-2.6~wheezy0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
695804: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695804
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
User: [email protected]
Usertags: unblock
Severity: normal
Please unblock package moodle
I am about to get new version of the package uploaded to
testing-proposed-updates. The new version fixes a security issue that is
forwarded but not yet fixed upstream.
diff -Nru moodle-2.2.3.dfsg/debian/changelog
moodle-2.2.3.dfsg/debian/changelog
--- moodle-2.2.3.dfsg/debian/changelog 2012-11-16 09:07:18.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/changelog 2012-12-12 19:19:22.000000000 +0100
@@ -1,3 +1,11 @@
+moodle (2.2.3.dfsg-2.6~wheezy1) testing-proposed-updates; urgency=low
+
+ * Fix possible security issue for curl in 3-rd party libraries:
+ * phpCAS (CVE-2012-5583)
+ * amazon-s3-php-class
+
+ -- Tomasz Muras <[email protected]> Tue, 27 Nov 2012 23:15:45 +0100
+
moodle (2.2.3.dfsg-2.6~wheezy0) testing-proposed-updates; urgency=low
* Re-upload -2.6 towards Wheezy.
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch
moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch
---
moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch
2012-12-12 19:20:03.000000000 +0100
@@ -0,0 +1,49 @@
+From: Tomasz Muras <[email protected]>
+Last-Update: 2012-12-12
+Bug: http://tracker.moodle.org/browse/MDL-36818
+Bug-amazon-s3-php-class:
https://github.com/tpyo/amazon-s3-php-class/pull/36
+Bug-phpCAS: https://github.com/Jasig/phpCAS/pull/58
+Forwarded: yes
+Description: Fix the value of CURLOPT_SSL_VERIFYHOST option.
+ Wrong use of CURLOPT_SSL_VERIFYHOST is a potential security issue.
+ The bug was reported by Alessandro Ghedini <[email protected]>, patch
+ created by Tomasz Muras and forwarded to Moodle and Moodle's upstream -
+ amazon-s3-php-class and phpCAS. There is no Debian bug or CVE issued yet
+ but Debian Security Team has been notified. CVE for phpCAS is
CVE-2012-5583.
+ The bug is not fixed in Moodle upstream yet.
+
+diff --git a/auth/cas/CAS/CAS/client.php b/auth/cas/CAS/CAS/client.php
+index 74d6893..d5c4212 100644
+--- a/auth/cas/CAS/CAS/client.php
++++ b/auth/cas/CAS/CAS/client.php
+@@ -2160,7 +2160,7 @@ class CASClient
+ if ($this->_cas_server_cert != '' && $this->_cas_server_ca_cert
!= '') {
+ // This branch added by IDMS. Seems phpCAS implementor got a bit
confused about the curl options CURLOPT_SSLCERT and CURLOPT_CAINFO
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
++ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+ curl_setopt($ch, CURLOPT_SSLCERT,
$this->_cas_server_cert);
+ curl_setopt($ch, CURLOPT_CAINFO,
$this->_cas_server_ca_cert);
+ curl_setopt($ch, CURLOPT_VERBOSE, '1');
+@@ -2172,7 +2172,7 @@ class CASClient
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+ curl_setopt($ch, CURLOPT_CAINFO,
$this->_cas_server_ca_cert);
+ } else {
+- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
++ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+diff --git a/repository/s3/S3.php b/repository/s3/S3.php
+index dadfb5a..b5a11b6 100644
+--- a/repository/s3/S3.php
++++ b/repository/s3/S3.php
+@@ -1140,7 +1140,7 @@ final class S3Request {
+ curl_setopt($curl, CURLOPT_USERAGENT, 'S3/php');
+
+ if (S3::$useSSL) {
+- curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);
++ curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
+ curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);
+ }
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/series
moodle-2.2.3.dfsg/debian/patches/series
--- moodle-2.2.3.dfsg/debian/patches/series 2012-11-10
16:09:16.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/series 2012-11-29
18:00:57.000000000 +0100
@@ -18,3 +18,4 @@
0018-MDL-34448-mod-data-Fixing-separate-groups-viewing-al.patch
0019-MDL-33791-Portfolio-Fixed-security-issue-with-passin.patch
0020-MDL-35558-mod_data-Show-only-own-entries-while-there.patch
+0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch
unblock moodle/2.2.3.dfsg-2.6~wheezy1
Tomasz Muras
--- End Message ---
--- Begin Message ---
Hi,
It seems moodle/2.2.3.dfsg-2.6~wheezy0 entered wheezy, so this bug can be
closed.
Cheers,
Ivo
--- End Message ---
