-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 21 Sep 2015 09:52:15 +0200
Source: moodle
Binary: moodle
Architecture: source all
Version: 2.7.10+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Moodle Packaging Team 
<pkg-moodle-maintain...@lists.alioth.debian.org>
Changed-By: Joost van Baal-Ilić <joos...@debian.org>
Description:
 moodle     - course management system for online learning
Closes: 746594 749609 752615 775842 778422 785591 792242 799634
Changes:
 moodle (2.7.10+dfsg-1) unstable; urgency=high
 .
   * New upstream security release, released Sept 21, 2015. Note that the
     upstream 2.7 branch is now supported for security fixes only until May 2017
     (LTS).  Security issues fixed:
     - MSA-15-0030: Students can re-attempt answering questions in the lesson,
       Reported by Eric Eakin, MDL-50516, CVE-2015-5264
     - MSA-15-0031: Teacher in forum can still post to "all participants" and
       groups they are not members of, Reported by David Scotson, MDL-50576,
       CVE-2015-5272
     - MSA-15-0032: Users can delete files uploaded by other users in wiki,
       Reported by John Provasnik, MDL-48371, CVE-2015-5265
     - MSA-15-0033: Meta course synchronisation enrols suspended students as
       managers for a short period of time, Reported by Brian Winstead,
       MDL-50744, CVE-2015-5266
     - MSA-15-0034: Vulnerability in password recovery mechanism, Reported by
       Vincent Herbulot (@us3r777), MDL-50860, CVE-2015-5267
     - MSA-15-0035: Rating component does not check separate groups, Reported by
       Juan Leyva, MDL-50173, CVE-2015-5268
     - MSA-15-0036: XSS in grouping description, Reported by Marina Glancy,
       MDL-50709, CVE-2015-5269
     See the 21 Sep 2015 post from Marina Glancy at
     http://www.openwall.com/lists/oss-security/2015/09/21/1 for more details on
     these fixed security issues.  Some other fixes and improvements: MDL-51050
     - Forms such as "Create new group" are no longer populated with passwords
     and usernames by the browsers; MDL-42670 - Recent activity block no longer
     shows student name when assignment blind marking is on. See
     https://docs.moodle.org/dev/Moodle_2.7.10_release_notes for more details.
     Thanks Salvatore Bonaccorso and Thijs Kinkhorst for forwarding the news.
     Closes: #799634
   * debian/source/lintian-overrides: add comment/comment.js, some
     lib/yuilib/3.15.0/**/*-debug.js and
     lib/yuilib/2in3/2.9.0/build/yui2-*/*-debug.js files to list of false
     positives "source-is-missing". Bug #799861 reported against lintian.
   * debian/copyright: clarify license situation of
     lib/pear/HTML/QuickForm/DHTMLRulesTableless.php and
     lib/pear/HTML/QuickForm/Renderer/Tableless.php. Thanks
     Ondřej Surý and Paul Tagliamonte. Closes: #752615
   * debian/control: no longer depend upon libphp-pclzip.  This dependency was
     actually no longer needed since 2.7.5+dfsg-3, when phpexcel got removed.
     Thanks David Prévot. Closes: #749609
   * debian/changelog: fix entry for 2.7.5+dfsg-3 to properly close 746594.
     See also https://tracker.moodle.org/browse/MDL-45395 .  Thanks Dan 
Poltawski
     e.a.
 .
 moodle (2.7.9+dfsg-1) unstable; urgency=high
 .
   * New upstream security release, released July 6, 2015. Note that the 
upstream
     2.7 branch is now supported for security fixes only until May 2017 (LTS).
     Security issues fixed:
     - MSA-15-0026 Possible phishing when redirecting to external site using
       referer header, Reported by Totara, MDL-50688, CVE-2015-3272
     - MSA-15-0028 Possible XSS through custom text profile fields in Web
       Services, Reported by Marina Glancy, MDL-50130, CVE-2015-3274
     - MSA-15-0029 Javascript injection in SCORM module, Reported by Martin
       Greenaway, MDL-50614, CVE-2015-3275
     See http://www.openwall.com/lists/oss-security/2015/07/13/2 for more 
details
     on these fixed security issues.  Some other fixes and improvements:
     MDL-50380 - Fixed missing parameter error when editing files in wiki;
     MDL-50177 - Upgrading assignments in 2.7/2.8 works even when conditional
     access is used; MDL-50275 - Added missing version bump after risk bitmap
     change in MDL-49941.  See the Moodle 2.7.9 release notes at
     https://docs.moodle.org/dev/Moodle_2.7.9_release_notes for more details.
     Thanks Salvatore Bonaccorso. Closes: #792242
   * debian/changelog: fix line length: max 80 columns.
 .
 moodle (2.7.8+dfsg-1) unstable; urgency=high
 .
   * New upstream security release, released 11 May 2015.  Security issues
     fixed:
     - MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare
       that, Reported by Hugh Davenport, MDL-49941, CVE-2015-3174
     - MSA-15-0019: Possible phishing when redirecting to external site using
       referer header, Reported by Dingjie Yang, MDL-49179, CVE-2015-3175
     - MSA-15-0020: User fullname disclosure through account confirmation link,
       Reported by: Federico Kirschbaum, MDL-50099, CVE-2015-3176
     - MSA-15-0022: Potential XSS risk when returning text entered by student
       from Web Services, Reported by Eloy Lafuente, MDL-49718, CVE-2015-3178
     - MSA-15-0023: Suspended user is able to login when confirming email,
       Reported by Marina Glancy, MDL-50090, CVE-2015-3179
     - MSA-15-0024: User with suspended enrolment can see sections in the
       navigation tree, Reported by Alex Mitin, MDL-49788, CVE-2015-3180
     - MSA-15-0025: Capability to manage own files is not respected in Web
       Services, Reported by Juan Leyva, MDL-49994, CVE-2015-3181
     See http://www.openwall.com/lists/oss-security/2015/05/18/1 for more 
details
     on these fixed security issues.  Some other fixes: MDL-48187 - Fixed 
problem
     with new items automatically marked as extra credit in SWM category in
     Gradebook; MDL-42449 - Grade category is preserved when duplicating a
     module; MDL-46746, MDL-47003, MDL-47002 - Atto editor HTML cleaning is less
     aggressive and more aware of special tags, especially noticeable when
     pasting text from Word.  See the Moodle 2.7.8 release notes at
     https://docs.moodle.org/dev/Moodle_2.7.8_release_notes for more details.
     Thanks Salvatore Bonaccorso.  Closes: #785591
   * debian/watch: fix syntax.
 .
 moodle (2.7.7+dfsg-2) unstable; urgency=high
 .
   * debian/install: now installs scripts mdeploy.php and mdeploytest.php.
   * debian/install: now installs the directory "availability", thanks Maarten
     Horden and Oscar Diaz (Closes: #778422).
   * debian/changelog: Add some extra information on issues fixed in entry
     moodle (2.7.7+dfsg-1)), thanks Marina Glancy and Thijs Kinkhorst.
   * debian/changelog: Add some extra information on CVE-2013-3630 in entry
     moodle (2.7.5+dfsg-3), thanks Marina Glancy.
 .
 moodle (2.7.7+dfsg-1) unstable; urgency=high
 .
   * New upstream security release, released 10 March 2015.  (Moodle 2.7.6 was
     released 9 March 2015).  Issues fixed:
     - MSA-15-0010: Personal contacts and number of unread messages can be
       revealed, Reported by Barry Oosthuizen, MDL-49204, CVE-2015-2266
     - MSA-15-0011: Authentication in mdeploy can be bypassed. Reported by
       Frédéric Massart, MDL-49087 CVE-2015-2267
     - MSA-15-0012: ReDoS Possible with Convert links to URLs filter. Reported 
by
       Rob, MDL-38466, CVE-2015-2268
     - MSA-15-0013: Block title not properly escaped and may cause HTML
       injection.  Reported by Gjoko Krstic, MDL-49144, CVE-2015-2269
     - MSA-15-0014: Potential information disclosure for the inaccessible
       courses.  Reported by Sam Hemelryk, MDL-48804, CVE-2015-2270
     - MSA-15-0015: User without proper permission is able to mark the tag as
       inappropriate, Reported by Frédéric Massart, MDL-49084, CVE-2015-2271
     - MSA-15-0016: Web services token can be created for user with temporary
       password.  Reported by Juan Leyva, MDL-48691, CVE-2015-2272
     - MSA-15-0017: XSS in quiz statistics report. Reported by Tim Hunt,
       MDL-49364, CVE-2015-2273
   * debian/changelog: enhance 2.7.2-1 entry: add note on upstream long term
     support of this 2.7 branch.
   * debian/TODO: add some build instructions.
   * debian/control: more strict php-cas dependency: known to break with
     1.3.1-4+deb7u1, known to work with 1.3.3-1.
 .
 moodle (2.7.5+dfsg-3) unstable; urgency=high
 .
   * debian/README.Debian: add authors and dates, in order to make status more
     clear.
   * debian/watch: (trying to) get it working again, with revamped moodle.org
     website.
   * debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1.
   * For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630
     will not get fixed: it's not a bug: the attack can only get launched by an
     administrator, and administrators need to be trusted.  Sites that provide
     shared hosting and want to prevent the Moodle admin user from being able to
     set executable paths can also use: "$CFG->preventexecpath = true;".  See
     also Debian bug #775842 and Moodle issue MDL-41449.
   * Fix CVE-2014-4172 and CVE-2014-2054:
     - debian/rules, debian/control: don't use CAS client library as shipped 
with
       moodle (unchanged phpCAS 1.3.3, see upstream
       auth/cas/CAS/moodle_readme.txt) but php-cas as shipped with Debian
       (1.3.3-1 and 1.3.1-4+deb7u1); create symlinks /u/s/m/auth/cas/CAS/CAS.php
       -> /usr/share/php/CAS.php and /u/s/m/auth/cas/CAS/CAS ->
       /usr/share/php/CAS/.  This fixes CVE-2014-4172.
     - debian/rules: remove /u/s/m/lib/phpexcel from binary package.  Remove
       lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources.  This fixes both
       a license problem and a security problem: Although the PHP license is
       generally agreed to be DFSG-free, using it as a license on anything that
       isn't PHP itself makes the result non-free.  PHP OLE is licensed under 
the
       PHP license.  Older versions of PHP Excel, such as the one shipped with
       moodle, suffer from security problem CVE-2014-2054.  See also Debian Bug
       #718585 "RFP: php-excel".  (Closes: #746594)
     This closed Debian bug "Multiple security issues"; thanks Moritz
     Muehlenhoff, Thijs Kinkhorst and Hubert Chathi (Closes: #775842)
Checksums-Sha1:
 486d1aecb4ad26b67eeeec92050c9aef46f0ced8 1725 moodle_2.7.10+dfsg-1.dsc
 6386157e42550534aed3a1f44a821859cc40c611 34992383 
moodle_2.7.10+dfsg.orig.tar.gz
 45f2ae58b6d34a95599ca5dd9942aeecac46c491 72212992 
moodle_2.7.10+dfsg-1.debian.tar.xz
 71f5abc352b1bdef05dc4088df477e8155fb27b6 15415222 moodle_2.7.10+dfsg-1_all.deb
Checksums-Sha256:
 938854a7282e581ddbcb58e90cbb5e2d30abe89f93e3e073ccc70b2cd2358b21 1725 
moodle_2.7.10+dfsg-1.dsc
 7402c5dd3cd490d7747a6da7955e3de2e99933ede743e7b6cf68d9c02c92fa1b 34992383 
moodle_2.7.10+dfsg.orig.tar.gz
 460bacfd431b6adc1eab608f0a33640d0be4055f2f2fc3ee626f5752a67fa7f5 72212992 
moodle_2.7.10+dfsg-1.debian.tar.xz
 024f1887cc3bfa0c85df7979402870d34670141371154ae90f6f6401a3cf091b 15415222 
moodle_2.7.10+dfsg-1_all.deb
Files:
 807bc24231c0db678e1d9d13770d7760 1725 web optional moodle_2.7.10+dfsg-1.dsc
 2156effe57b122ab058a3b7410b3a98f 34992383 web optional 
moodle_2.7.10+dfsg.orig.tar.gz
 a4337310fe47fccd55d8976a7baf747d 72212992 web optional 
moodle_2.7.10+dfsg-1.debian.tar.xz
 a9224ab98ff0df1585368801332ff2a9 15415222 web optional 
moodle_2.7.10+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJWCPigAAoJEDNRenKl5rDIJ5QIAKNn5Au1z2vH0yao3iQr8Nv9
16wcR8RfR0w9yM1/zRhdBDR5UkakNvT58CO8TjsUa9n5xe6JeomsIILtlEb0boIS
4uczMnffBBYXxjFEj8GF+dUfRClyOkh1YMUdoxdhxA5M1YnhExFz2eo2JusZ+s9Z
x2EO5F/l9UK0tryAOo2gSi/bX21de/97LxhwOQGhGeG6IGg2+ORLpYCZd64+mEnP
3YgiYT8ozvm77sGbxhjGq2CBOqjHHQzsJP+XeZUSvJBU9LhYCnlSXH9ki8JiP/Wy
Xk0iujDpu1CVCkl0QKcGzh/U6I4qFRM9Mo7y9oygxMDLIceK7/MW5vfl9nCVaJc=
=Zq43
-----END PGP SIGNATURE-----

Reply via email to