Your message dated Sun, 20 Jul 2008 16:47:29 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#489533: fixed in moodle 1.8.2-1.3
has caused the Debian Bug report #489533,
regarding moodle: CVE-2008-1502 _bad_protocol_once function allows XSS and
possibly code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
489533: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489533
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: moodle
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for moodle.
CVE-2008-1502[0]:
| The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in
| eGroupWare before 1.4.003 allows remote attackers to bypass HTML
| filtering and conduct cross-site scripting (XSS) attacks via a string
| containing crafted URL protocols.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Upstream advisory:
http://moodle.org/mod/forum/discuss.php?d=95031
Patches:
http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.581.4.10&r2=1.581.4.11&view=patch
http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.12.3&r2=1.3.12.4&view=patch
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1502
http://security-tracker.debian.net/tracker/CVE-2008-1502
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpxK1DVWg7Rr.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: moodle
Source-Version: 1.8.2-1.3
We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:
moodle_1.8.2-1.3.diff.gz
to pool/main/m/moodle/moodle_1.8.2-1.3.diff.gz
moodle_1.8.2-1.3.dsc
to pool/main/m/moodle/moodle_1.8.2-1.3.dsc
moodle_1.8.2-1.3_all.deb
to pool/main/m/moodle/moodle_1.8.2-1.3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated moodle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 20 Jul 2008 18:07:55 +0200
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.8.2-1.3
Distribution: unstable
Urgency: high
Maintainer: Isaac Clerencia <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
moodle - Course Management System for Online Learning
Closes: 489533
Changes:
moodle (1.8.2-1.3) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix broken HTML filtering which could be used to perform XSS attacks,
bypass restrictions or possibly execute arbitrary code
(CVE-2008-1502; Closes: #489533).
Checksums-Sha1:
4e64198f6c99843f1b2c29d8e0b279bc52637675 996 moodle_1.8.2-1.3.dsc
6e9a088c3918dbb1ec4084f5bf604ea6454c4773 24088 moodle_1.8.2-1.3.diff.gz
4717d5076819dda74711adccfe9b1ce1c046b6c9 9410286 moodle_1.8.2-1.3_all.deb
Checksums-Sha256:
6cd748897b51f602e18de2f18313bdc6b27f8ceb74a471a8830a3abf57e746a1 996
moodle_1.8.2-1.3.dsc
adacddd229a593e0a1291a8822b1eae3789a1f0a0f3ed1deca57c620c1a40033 24088
moodle_1.8.2-1.3.diff.gz
f2d322db20db5717ca2a3c4927ce92596a94c12e84f8d6ee1b2b43e561184692 9410286
moodle_1.8.2-1.3_all.deb
Files:
5c52735fb9da76c231ecc139c8f211da 996 web optional moodle_1.8.2-1.3.dsc
e34452d6740112e0c2a18d04ac8afa61 24088 web optional moodle_1.8.2-1.3.diff.gz
989feb3cd92ca7db17c7ddea0b7e4850 9410286 web optional moodle_1.8.2-1.3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkiDZPoACgkQHYflSXNkfP8O8gCfVXswpa2NiISt+b+C7eAwjCEz
4eMAn0byZGK97Wsct65ryOb94ub/ccnt
=NRbz
-----END PGP SIGNATURE-----
--- End Message ---
