Debian Bug report logs - #514284
moodle: New releases fot 1.6.x fixes security problems

version graph

Package: moodle; Maintainer for moodle is Moodle Packaging Team <pkg-moodle-maintainers@lists.alioth.debian.org>; Source for moodle is src:moodle.

Reported by: Vicm3 <vicm3@janus.ajusco.upn.mx>

Date: Thu, 5 Feb 2009 23:06:04 UTC

Severity: normal

Found in version moodle/1.6.3-2+etch1

Fixed in version moodle/1.6.3-2+etch2

Done: Dan Poltawski <talktodan@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Moodle Packaging Team <moodle-packaging@catalyst.net.nz>:
Bug#514284; Package moodle. (Thu, 05 Feb 2009 23:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vicm3 <vicm3@janus.ajusco.upn.mx>:
New Bug report received and forwarded. Copy sent to Moodle Packaging Team <moodle-packaging@catalyst.net.nz>. (Thu, 05 Feb 2009 23:06:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vicm3 <vicm3@janus.ajusco.upn.mx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: moodle: New releases fot 1.6.x fixes security problems
Date: Thu, 05 Feb 2009 17:05:08 -0600
Package: moodle
Version: 1.6.3-2+etch1
Severity: normal

New releases: Moodle 1.9.4, 1.8.8, 1.7.7 and 1.6.9
by Martin Dougiamas - Thursday, February 5, 2009, 03:48 PM
 	
	Hi!

	We released some new versions of Moodle last week: full details
	about them are on the sparkly new Moodle download page.

	As usual these point releases wrap up a good number of small
	fixes and enhancements, including a brand-new security report
	from Petr Skoda that helps admins discover and correct insecure
	settings (note that a small performance issue affecting some
	users has already been fixed since 1.9.4 so get the latest
	weekly if you can)

	Most importantly, there are also fixes for all the security
	vulnerabilities reported on the Moodle Tracker over the past few
	months (thanks to all those who reported them!). Full details of
	these security fixes are, as usual, disclosed on our security
	page. (Note that administrators of registered Moodle sites were
	already informed about these releases a week ago as per our
	normal release process). To keep your sites safe all you need to
	do is upgrade your Moodle sites as soon as you can! If you would
	like to discuss any of the disclosed vulnerabilities or general
	techniques to improve the security of your own site, please come
	to our Security and Privacy forum.

	It's also worth mentioning that Moodle 1.6.9 and Moodle 1.7.7
	mark the last builds that the core team plan to release from
	those branches (unless someone else volunteers to maintain them)
	due to the amount of work involved. In short, please upgrade to
	later versions! smile

	In the meantime, we are also pushing ahead rapidly with the
	Moodle 2.0 roadmap and a number of enhancements for Moodle 1.9.5
	... some exciting things lie ahead!

	Cheers,
	Martin

	P.S. Did I mention you really should upgrade your Moodle sites?
	smile
http://moodle.org/mod/forum/discuss.php?d=115616

-- Sestem Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (900, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)

Versions of packages moodle depends on:
ii  apache [httpd]          1.3.34-4.1+etch1 versatile, high-performance HTTP s
ii  debconf [debconf-2.0]   1.5.11etch2      Debian configuration management sy
ii  libapache-mod-php5      5.2.0-8+etch13   server-side, HTML-embedded scripti
ii  mimetex                 1.50-1           LaTeX math expressions to anti-ali
ii  php5-cli                5.2.0-8+etch13   command-line interpreter for the p
ii  php5-gd                 5.2.0-8+etch13   GD module for php5
ii  php5-mysql              5.2.0-8+etch13   MySQL module for php5
ii  ucf                     2.0020           Update Configuration File: preserv
ii  wwwconfig-common        0.0.48           Debian web auto configuration

Versions of packages moodle recommends:
ii  mysql-server-5.0 [mysql-se 5.0.32-7etch8 mysql database server binaries

-- debconf-show failed




Reply sent to Dan Poltawski <talktodan@gmail.com>:
You have taken responsibility. (Sun, 15 Mar 2009 20:42:30 GMT) Full text and rfc822 format available.

Notification sent to Vicm3 <vicm3@janus.ajusco.upn.mx>:
Bug acknowledged by developer. (Sun, 15 Mar 2009 20:42:30 GMT) Full text and rfc822 format available.

Message #10 received at 514284-close@bugs.debian.org (full text, mbox):

From: Dan Poltawski <talktodan@gmail.com>
To: 514284-close@bugs.debian.org
Subject: Bug#514284: fixed in moodle 1.6.3-2+etch2
Date: Sun, 15 Mar 2009 19:54:44 +0000
Source: moodle
Source-Version: 1.6.3-2+etch2

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:

moodle_1.6.3-2+etch2.diff.gz
  to pool/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz
moodle_1.6.3-2+etch2.dsc
  to pool/main/m/moodle/moodle_1.6.3-2+etch2.dsc
moodle_1.6.3-2+etch2_all.deb
  to pool/main/m/moodle/moodle_1.6.3-2+etch2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514284@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dan Poltawski <talktodan@gmail.com> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 31 Jan 2009 22:13:59 +0000
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.6.3-2+etch2
Distribution: stable-security
Urgency: high
Maintainer: Moodle Packaging Team <moodle-packaging@catalyst.net.nz>
Changed-By: Dan Poltawski <talktodan@gmail.com>
Description: 
 moodle     - Course Management System for Online Learning
Closes: 514284
Changes: 
 moodle (1.6.3-2+etch2) stable-security; urgency=high
 .
   * Security update based on Moodle 1.6.9 (closes: #514284)
     - Fix XSS vulnerabilities in "login as" in HTML block (CVE-2009-0502)
     - Remove unusused htmlarea plugin (CVE-2008-5153)
     - Fix XSS vulnerabilities in log display (CVE-2009-0500)
Files: 
 b86fd980d09fc1f54744962d765a17d7 793 web optional moodle_1.6.3-2+etch2.dsc
 60b9bf677040fbd71e7951deaa8b91d7 25398 web optional moodle_1.6.3-2+etch2.diff.gz
 7a90893e954672f33e129aa4d7ca5aa3 6582298 web optional moodle_1.6.3-2+etch2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJk5qJScUZKBnQNIYRAgxCAJ9rfXiUXGrVwuwhRAw/3OL0RcHJvACgiafR
v7N0GxjUVYKx1HrkNtcpp8w=
=vp8Z
-----END PGP SIGNATURE-----





Reply sent to Dan Poltawski <talktodan@gmail.com>:
You have taken responsibility. (Thu, 09 Apr 2009 17:18:05 GMT) Full text and rfc822 format available.

Notification sent to Vicm3 <vicm3@janus.ajusco.upn.mx>:
Bug acknowledged by developer. (Thu, 09 Apr 2009 17:18:06 GMT) Full text and rfc822 format available.

Message #15 received at 514284-close@bugs.debian.org (full text, mbox):

From: Dan Poltawski <talktodan@gmail.com>
To: 514284-close@bugs.debian.org
Subject: Bug#514284: fixed in moodle 1.6.3-2+etch2
Date: Thu, 09 Apr 2009 17:10:59 +0000
Source: moodle
Source-Version: 1.6.3-2+etch2

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:

moodle_1.6.3-2+etch2.diff.gz
  to pool/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz
moodle_1.6.3-2+etch2.dsc
  to pool/main/m/moodle/moodle_1.6.3-2+etch2.dsc
moodle_1.6.3-2+etch2_all.deb
  to pool/main/m/moodle/moodle_1.6.3-2+etch2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514284@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dan Poltawski <talktodan@gmail.com> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 31 Jan 2009 22:13:59 +0000
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.6.3-2+etch2
Distribution: stable-security
Urgency: high
Maintainer: Moodle Packaging Team <moodle-packaging@catalyst.net.nz>
Changed-By: Dan Poltawski <talktodan@gmail.com>
Description: 
 moodle     - Course Management System for Online Learning
Closes: 514284
Changes: 
 moodle (1.6.3-2+etch2) stable-security; urgency=high
 .
   * Security update based on Moodle 1.6.9 (closes: #514284)
     - Fix XSS vulnerabilities in "login as" in HTML block (CVE-2009-0502)
     - Remove unusused htmlarea plugin (CVE-2008-5153)
     - Fix XSS vulnerabilities in log display (CVE-2009-0500)
Files: 
 b86fd980d09fc1f54744962d765a17d7 793 web optional moodle_1.6.3-2+etch2.dsc
 60b9bf677040fbd71e7951deaa8b91d7 25398 web optional moodle_1.6.3-2+etch2.diff.gz
 7a90893e954672f33e129aa4d7ca5aa3 6582298 web optional moodle_1.6.3-2+etch2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJk5qJScUZKBnQNIYRAgxCAJ9rfXiUXGrVwuwhRAw/3OL0RcHJvACgiafR
v7N0GxjUVYKx1HrkNtcpp8w=
=vp8Z
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 08 May 2009 07:32:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:46:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.