Bug#775842: marked as done (moodle: Multiple security issues)

[Debian Bug Tracking System]

Your message dated Mon, 09 Mar 2015 12:04:35 +0000
with message-id <e1yuwqf-0005gg...@franck.debian.org>
and subject line Bug#775842: fixed in moodle 2.7.5+dfsg-3
has caused the Debian Bug report #775842,
regarding moodle: Multiple security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
775842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775842
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: moodle
Severity: grave
Tags: security
Justification: user security hole

The current Moodle package in the archive is affected by multiple security 
issues:

Cheers,
        Moritz

https://security-tracker.debian.org/tracker/CVE-2015-0218
https://security-tracker.debian.org/tracker/CVE-2015-0217
https://security-tracker.debian.org/tracker/CVE-2015-0216
https://security-tracker.debian.org/tracker/CVE-2015-0215
https://security-tracker.debian.org/tracker/CVE-2015-0214
https://security-tracker.debian.org/tracker/CVE-2015-0213
https://security-tracker.debian.org/tracker/CVE-2015-0212
https://security-tracker.debian.org/tracker/CVE-2015-0211
https://security-tracker.debian.org/tracker/CVE-2014-9059
https://security-tracker.debian.org/tracker/CVE-2014-7848
https://security-tracker.debian.org/tracker/CVE-2014-7847
https://security-tracker.debian.org/tracker/CVE-2014-7846
https://security-tracker.debian.org/tracker/CVE-2014-7845
https://security-tracker.debian.org/tracker/CVE-2014-7838
https://security-tracker.debian.org/tracker/CVE-2014-7837
https://security-tracker.debian.org/tracker/CVE-2014-7836
https://security-tracker.debian.org/tracker/CVE-2014-7835
https://security-tracker.debian.org/tracker/CVE-2014-7834
https://security-tracker.debian.org/tracker/CVE-2014-7833
https://security-tracker.debian.org/tracker/CVE-2014-7832
https://security-tracker.debian.org/tracker/CVE-2014-7831
https://security-tracker.debian.org/tracker/CVE-2014-7830
https://security-tracker.debian.org/tracker/CVE-2014-4172
https://security-tracker.debian.org/tracker/CVE-2014-3617
https://security-tracker.debian.org/tracker/CVE-2014-3553
https://security-tracker.debian.org/tracker/CVE-2014-3551
https://security-tracker.debian.org/tracker/CVE-2014-3548
https://security-tracker.debian.org/tracker/CVE-2014-3547
https://security-tracker.debian.org/tracker/CVE-2014-3546
https://security-tracker.debian.org/tracker/CVE-2014-3545
https://security-tracker.debian.org/tracker/CVE-2014-3544
https://security-tracker.debian.org/tracker/CVE-2014-3543
https://security-tracker.debian.org/tracker/CVE-2014-3542
https://security-tracker.debian.org/tracker/CVE-2014-3541
https://security-tracker.debian.org/tracker/CVE-2014-2054
https://security-tracker.debian.org/tracker/CVE-2013-3630

--- End Message ---

--- Begin Message ---

Source: moodle
Source-Version: 2.7.5+dfsg-3

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joost van Baal-Ilić <joos...@debian.org> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 09 Mar 2015 12:56:41 +0100
Source: moodle
Binary: moodle
Architecture: source all
Version: 2.7.5+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Moodle Packaging Team 
<pkg-moodle-maintain...@lists.alioth.debian.org>
Changed-By: Joost van Baal-Ilić <joos...@debian.org>
Description:
 moodle     - course management system for online learning
Closes: 775842
Changes:
 moodle (2.7.5+dfsg-3) unstable; urgency=high
 .
   * debian/README.Debian: add authors and dates, in order to make status more
     clear.
   * debian/watch: (trying to) get it working again, with revamped moodle.org 
website.
   * debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1.
   * For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630
     will not get fixed: it's not a bug: the attack can only get launched by an
     administrator, and administrators need to be trusted.  See also Debian
     bug #775842.
   * Fix CVE-2014-4172 and CVE-2014-2054:
     - debian/rules, debian/control: don't use CAS client library as shipped 
with
       moodle (unchanged phpCAS 1.3.3, see upstream 
auth/cas/CAS/moodle_readme.txt)
       but php-cas as shipped with Debian (1.3.3-1 and 1.3.1-4+deb7u1); create
       symlinks /u/s/m/auth/cas/CAS/CAS.php -> /usr/share/php/CAS.php
       and /u/s/m/auth/cas/CAS/CAS -> /usr/share/php/CAS/.  This fixes 
CVE-2014-4172.
     - debian/rules: remove /u/s/m/lib/phpexcel from binary package.  Remove
       lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources.  This fixes 
both a
       license problem and a security problem: Although the PHP license is 
generally
       agreed to be DFSG-free, using it as a license on anything that isn't PHP
       itself makes the result non-free.  PHP OLE is licensed under the PHP 
license.
       Older versions of PHP Excel, such as the one shipped with moodle, suffer 
from
       security problem CVE-2014-2054.  See also Debian Bug #718585 "RFP: 
php-excel".
     This closed Debian bug "Multiple security issues"; thanks Moritz 
Muehlenhoff,
     Thijs Kinkhorst and Hubert Chathi (Closes: #775842)
Checksums-Sha1:
 b687c53a12b6c0648581d2bfa41974dfa8e143ae 1718 moodle_2.7.5+dfsg-3.dsc
 97f9d17e07f7279060b8de5676be58f8e3c18fc9 72217992 
moodle_2.7.5+dfsg-3.debian.tar.xz
 4b28b782848f22f748eb6234c8cb4354b19e5848 15314338 moodle_2.7.5+dfsg-3_all.deb
Checksums-Sha256:
 99f4a035f05bfde496a73dda7fd30c1dbf9e3ed200bc2306e991592d92800504 1718 
moodle_2.7.5+dfsg-3.dsc
 fc5f4efddc16e7b5a5af5741b344ed6258500ea50e689e16cf367a9bb5dbf861 72217992 
moodle_2.7.5+dfsg-3.debian.tar.xz
 98302d577a63889cdbf27e861b326ffb30c9be7f7a08c9382bac4941506176b1 15314338 
moodle_2.7.5+dfsg-3_all.deb
Files:
 be7b841d7655a2abd63008859f7d7e80 1718 web optional moodle_2.7.5+dfsg-3.dsc
 631feb5c9f088fc68027e15e24c315ea 72217992 web optional 
moodle_2.7.5+dfsg-3.debian.tar.xz
 d22ab17eacf0feeef2667cc634a24009 15314338 web optional 
moodle_2.7.5+dfsg-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU/YtFAAoJEDNRenKl5rDIHCAH/A7HxMN3CgCoIjUzjLMqXybY
OhWPXUrsqd3NQgzmdAI3li23lIrqOK9VXCtwFkU0zrWV9thVsO452fWT3/4q8qg/
8035s9tk+iScmdhNdn/0HEFUPZeNFp14eMXVWoXh3mnJGsO3zDhC62Pv0fCuY9Jf
2dRQKWt0b7LRvgYHNHMN5twxxqLfeMQtFRpnNJiDFnNJWyWPvmapxEqvlCerDx6q
AUQ8vB32//40Tmr4jEC2Yas6QC5psL/sPhyOcuOSxuPMUi4+STycr6RQsnisCqiX
SytUT97rQZ2k35SI2pzTozrTdBbuAIXDjZ0sStpo93faFIG3m4eFo3URQwa0Ccc=
=VAex
-----END PGP SIGNATURE-----

--- End Message ---