Your message dated Thu, 18 Dec 2008 02:02:09 +0000
with message-id <e1ld8dj-0000gk...@ries.debian.org>
and subject line Bug#508909: fixed in moodle 1.8.2.dfsg-2
has caused the Debian Bug report #508909,
regarding remote code execution via preg_replace in html2text.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
508909: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508909
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: moodle
Version: 1.6.3-2
Severity: serious
Hello,
While taking a look at what moodle is shipping under /usr/share/moodle/lib/ I
noticed that the file html2text.php doesn't say much about its licence other
than a reference to upstream's website.
And from there (just quoting the most obvious ones)[1]:
> You should not attempt to prevent others from copying the scripts from your
> site. However, if you want to include the scripts in any script archives
> for downloading (such as ScriptSearch or JavaScript Kit), online or
> downloadable web templates (such as the SharePoint templates), or in
> bundled or distributed scripts/software (such as Opera or Dashboard
> widgets, or the Formativ Academic Timetable), you should contact me first
> and obtain my express written permission.
> You should check my scripts archive and 'What's new?' pages periodically to
> see if the script has been updated. More commonly updated scripts will also
> include version numbers in the .js header file(s). Updates are usually to
> provide extra functionality, or to increase browser compatibility, as well
> as the occasional bug fix. If you would like to be automatically kept up to
> date with script updates, subscribe to my RSS feed. All important script
> updates will be mentioned on there.
> — Commercial/profit-making public websites
> — Corporate internal websites
IOW: at first glance, it violates points 1, 5, and 6 of the DFSG.
When searching for other copies in the archive of the same file I found
roundcube-core shipping a file called html2text.php[2] which includes
html2text.inc which is released under the v2 of the GPL. Haven't checked, but
it might be a candidate to replace moodle's.
[1]http://www.howtocreate.co.uk/jslibs/termsOfUse.html
[2]/usr/share/roundcube/program/lib/html2text.inc
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: moodle
Source-Version: 1.8.2.dfsg-2
We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:
moodle_1.8.2.dfsg-2.diff.gz
to pool/main/m/moodle/moodle_1.8.2.dfsg-2.diff.gz
moodle_1.8.2.dfsg-2.dsc
to pool/main/m/moodle/moodle_1.8.2.dfsg-2.dsc
moodle_1.8.2.dfsg-2_all.deb
to pool/main/m/moodle/moodle_1.8.2.dfsg-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 508...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francois Marier <franc...@debian.org> (supplier of updated moodle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Dec 2008 13:37:10 +1300
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.8.2.dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Moodle Packaging Team <moodle-packag...@catalyst.net.nz>
Changed-By: Francois Marier <franc...@debian.org>
Description:
moodle - Course Management System for Online Learning
Closes: 508909
Changes:
moodle (1.8.2.dfsg-2) unstable; urgency=high
.
[ Dan Poltawski ]
* Patch SQL injection bug in hotpot module (MSA-08-0010)
* Fix XSS bug in logged urls (MDL-11414)
* Fix XSS bug in install script (MSA-08-0004)
* Fix insufficient access control in Login as feature (MSA-08-0003)
* Profiles of deleted users were accessible allowing for spam (MSA-08-0015)
* Deficincy in text cleaning functions allowed for XSS (MSA-08-0021)
* Fix CSRF in messaging settings (MSA-08-0023)
* Fix anonymous group creation and html injection (MDL-11759)
* Fix SQL injection bug in mnet (MDL-9288)
* Fix SQL injection bug in restore (MDL-11857)
* Insufficient cleaning of essay questions (MDL-12079)
* Fix insufficient cleaning of PARAM_HOST (MDL-12793)
* Fix XSS bug in logged urls (MDL-11414)
* Fix uncleaned params in wiki (MDL-14806)
.
[ Francois Marier ]
* Update html2text to prevent code execution attacks (closes: #508909)
Checksums-Sha1:
4b5a11c0d458f1982b5030f2bc776bd7ac6406ab 1362 moodle_1.8.2.dfsg-2.dsc
93f9bd3c9095fd6d0c63df5525d6561d898bc3b7 43969 moodle_1.8.2.dfsg-2.diff.gz
61e714003fb67967941e15de511b3240138e6dda 8722420 moodle_1.8.2.dfsg-2_all.deb
Checksums-Sha256:
42f1c506dcbc3e778d4e33a03467b5916d16b6b2e6e090fb6cfcc8593ca00a1f 1362
moodle_1.8.2.dfsg-2.dsc
512ef655560b7ea753ee1723c75026467bc0fd07e34b04f63943739104af243b 43969
moodle_1.8.2.dfsg-2.diff.gz
ed0f67b5bae9d1348110321a1251419f195f1a3446bef5a28dbb107512bc944a 8722420
moodle_1.8.2.dfsg-2_all.deb
Files:
67c70c53a69a65e218e3428a425caaf8 1362 web optional moodle_1.8.2.dfsg-2.dsc
75fc4dd2a5bce9e5b682b3804c807361 43969 web optional moodle_1.8.2.dfsg-2.diff.gz
2374aa6c5e3351c964a6e0fd9822d474 8722420 web optional
moodle_1.8.2.dfsg-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklIdq8ACgkQScUZKBnQNIbxYgCfXLjMqaa0G+cCd+jJvRoi7N6y
zrcAnApJcK683ZC+040/NsoPVxLCNOpY
=C28q
-----END PGP SIGNATURE-----
--- End Message ---
