Hi, Op Fri, Feb 13, 2015 at 03:21:49PM +0100 schreef Joost van Baal-Ilić: > Op Tue, Jan 20, 2015 at 05:15:13PM +0100 schreef Moritz Muehlenhoff: > > Package: moodle > > Severity: grave > > Tags: security > > Justification: user security hole > > > > The current Moodle package in the archive is affected by multiple security > > issues: > > > > Cheers, > > Moritz > > > > https://security-tracker.debian.org/tracker/CVE-2015-0218 <snip> > > https://security-tracker.debian.org/tracker/CVE-2014-2054 > > https://security-tracker.debian.org/tracker/CVE-2013-3630 > > These issues indeed are not listed to be fixed in moodle_2.7.5+dfsg-2 which is > currently in unstable. I'll upload a new version which explicitly lists the > CVE's fixed in upstream 2.7.5. > > For the record, on > https://security-tracker.debian.org/tracker/source-package/moodle, as of > today, > still listed as unfixed in 2.7.5+dfsg-2 are :
> CVE-2014-4172 php-cas problem, fixed in Debian's php-cas 1.3.3-1 and 1.3.1-4+deb7u1. Moodle ships with unchanged phpCAS 1.3.3, see moodle-2.7.5+dfsg/auth/cas/CAS/moodle_readme.txt Moodle can likely use the Debian-maintained php-cas package. I'll try & test that. > CVE-2014-2054 Security problem in old version of php-excel, which is shipped with moodle. https://bugs.debian.org/718585 "RFP: php-excel -- Read, Write and Create Excel documents in PHP" Status: hard license problems, will probably never get packaged for Debian. Popular workaround (as implemented by victims ownCloud and dolibarr): remove PHPExcel code & functionality from package. I'll try & test that. > CVE-2013-3630 https://tracker.moodle.org/browse/MDL-41449 I'll apply for a Jira account later... :-/ Bye, Joost -- Ho Mitakuye Oyasin ※ joostvb@{牛在田里,ad1810}.com ※ http://mdcc.cx/
signature.asc
Description: Digital signature