Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu
Hi dear Release Team,
upon ping from Jonathan Wiltshire on #682203, here I am with a proposed stable
update for moodle. The changelog entry would be:
moodle (1.9.9.dfsg2-2.1+squeeze4) stable; urgency=low
* Minor security updates.
* Backporting security fixes from MOODLE_19_STABLE:
- CVE-2012-1155 - MSA-12-0013: database activity module entries exporting
does not respect separate groups (Closes: #668411).
- CVE-2012-2362 - MSA-12-0033: XSS bug in blog/index.php in IE.
- CVE-2012-2363 - MSA-12-0034: Stored SQL Injection in calendar.
- CVE-2012-2367 - MSA-12-0038: Calendar New Entry still shows and works
for roles preventing calendar entry. (Closes: #674163)
debdiff and separate patches are attached; they are cherry-picks + quilt
refresh'es of upstream patches in the MOODLE_19_STABLE branch.
FYI, I started to backport the fix for CVE-2012-3398, but I'm not sure it'll
lead to an upload as the fix is quite invasive and doesn't apply cleanly on
the 1.9.9 codebase. Help welcome.
Cheers,
OdyX
diff -Nru moodle-1.9.9.dfsg2/debian/changelog moodle-1.9.9.dfsg2/debian/changelog
--- moodle-1.9.9.dfsg2/debian/changelog 2012-02-29 20:45:39.0 +0100
+++ moodle-1.9.9.dfsg2/debian/changelog 2012-10-22 08:10:11.0 +0200
@@ -1,3 +1,16 @@
+moodle (1.9.9.dfsg2-2.1+squeeze4) stable; urgency=low
+
+ * Minor security updates.
+ * Backporting security fixes from MOODLE_19_STABLE:
+- CVE-2012-1155 - MSA-12-0013: database activity module entries exporting
+ does not respect separate groups (Closes: #668411).
+- CVE-2012-2362 - MSA-12-0033: XSS bug in blog/index.php in IE.
+- CVE-2012-2363 - MSA-12-0034: Stored SQL Injection in calendar.
+- CVE-2012-2367 - MSA-12-0038: Calendar New Entry still shows and works
+ for roles preventing calendar entry. (Closes: #674163)
+
+ -- Didier Raboud o...@debian.org Sun, 21 Oct 2012 14:16:11 +0200
+
moodle (1.9.9.dfsg2-2.1+squeeze3) stable-security; urgency=low
* Security update based on unstable:
diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013
--- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 1970-01-01 01:00:00.0 +0100
+++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 2012-10-21 14:34:54.0 +0200
@@ -0,0 +1,45 @@
+commit 312ada2856cfb79d03ac6effe11dd750f2aa67f0
+Author: Adrian Greeve adr...@moodle.com
+Date: Tue Jan 31 12:09:30 2012 +0800
+
+MDL-25185 - data - Allowing data from the database to be exported according to group roles.
+
+diff --git a/mod/data/export.php b/mod/data/export.php
+index 6ac914e..edea566 100644
+--- a/mod/data/export.php
b/mod/data/export.php
+@@ -60,6 +60,7 @@ if($mform-is_cancelled()) {
+ print_header_simple($data-name, '', $nav,
+ '', '', true, update_module_button($cm-id, $course-id, get_string('modulename', 'data')),
+ navmenu($course, $cm), '', '');
++groups_print_activity_menu($cm, $CFG-wwwroot/mod/data/export.php?d=$d);
+ print_heading(format_string($data-name));
+
+ // these are for the tab display
+@@ -83,13 +84,25 @@ foreach($fields as $key = $field) {
+ $exportdata[0][] = $field-field-name;
+ }
+ }
++$groupid = groups_get_activity_group($cm);
+
+ $datarecords = get_records('data_records', 'dataid', $data-id);
+ ksort($datarecords);
+ $line = 1;
+ foreach($datarecords as $record) {
+ // get content indexed by fieldid
+-if( $content = get_records('data_content', 'recordid', $record-id, 'fieldid', 'fieldid, content, content1, content2, content3, content4') ) {
++if($groupid) {
++$select = SELECT c.fieldid, c.content, c.content1, c.content2, c.content3, c.content4
++FROM {$CFG-prefix}data_content c, {$CFG-prefix}data_records r
++WHERE c.recordid = $record-id
++AND r.id = c.recordid
++AND r.groupid = $groupid;
++} else {
++$select = SELECT fieldid, content, content1, content2, content3, content4
++FROM {$CFG-prefix}data_content
++WHERE recordid = $record-id;
++}
++if( $content = get_records_sql($select) ) {
+ foreach($fields as $field) {
+ $contents = '';
+ if(isset($content[$field-field-id])) {
diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033
--- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 1970-01-01 01:00:00.0 +0100
+++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 2012-10-21 14:48:44.0 +0200
@@ -0,0 +1,45 @@
+commit 038131c8b5614f18c14d964dc53b6960ae6c30d8
+Author: Rajesh Taneja raj...@moodle.com
+Date: Mon Mar 26 11:54:01 2012 +1300
+
+MDL-31745 blog: Fixed up encoding issue within blog
+
+--- a/blog/lib.php
b/blog/lib.php
+@@ -672,7 +672,7 @@
+ $querystring = '';
+ foreach($_GET as $var = $val) {
