Bug#601384: marked as done (1.9.10 fixes security issues)

Sat, 30 Oct 2010 04:36:22 -0700 

Your message dated Sat, 30 Oct 2010 11:32:23 +0000
with message-id <e1pc9fb-00012z...@franck.debian.org>
and subject line Bug#601384: fixed in moodle 1.9.9.dfsg2-2
has caused the Debian Bug report #601384,
regarding 1.9.10 fixes security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
601384: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601384
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: moodle
Severity: grave
Tags: security

Dear Moodle maintainers,

Moodle embeds a copy of PHPCAS, which had a couple of security issues.
I contacted them and they now released a new 1.9.10 version, which
fixes this and other security issues, see http://moodle.org/security/:

MSA-10-0016: Multiple phpCAS library vulnerabilities
MSA-10-0015: Customised HTML Purifier upgraded to 4.2.0
MSA-10-0014: Customised phpMyAdmin upgraded to 2.11.11

MSA-10-0014 seems a bit of a mystery to me, the downloaded tarball
doesn't contain a local copy of phpmyadmin? (Which would be a
pretty horrible code duplication).

As for MSA-10-0015: Please check, whether it's possible to patch Moodle
to use the php-htmlpurifier package from the archive instead of providing
it's own local copy. If that is not possible, we can proceed with
patching Moodle's version.

For PHPCAS, there isn't yet a package in the archive. An RFP exists
(#495542), it would be nice if Moodle could switch to a central
package for Wheezy.

Please don't package the full new 1.9.10 package for Squeeze, but
only pull in the phpcas and htmlpurifier changes, this makes it easier
for the release team to review the changes.

Cheers,
        Moritz



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages moodle depends on:
pn  apache2-mpm-prefork | httpd  <none>      (no description available)
ii  debconf [debconf-2.0]        1.5.36      Debian configuration management sy
pn  libapache2-mod-php5 | php5-c <none>      (no description available)
pn  mimetex                      <none>      (no description available)
pn  php5-cli                     <none>      (no description available)
pn  php5-curl                    <none>      (no description available)
pn  php5-gd                      <none>      (no description available)
pn  php5-pgsql | php5-mysql      <none>      (no description available)
pn  postgresql-client            <none>      (no description available)
ii  ucf                          3.0025+nmu1 Update Configuration File: preserv
pn  wwwconfig-common             <none>      (no description available)

Versions of packages moodle recommends:
pn  postgresql | mysql-server     <none>     (no description available)

moodle suggests no packages.

--- End Message ---
--- Begin Message --- 
Source: moodle
Source-Version: 1.9.9.dfsg2-2

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:

moodle_1.9.9.dfsg2-2.debian.tar.gz
  to main/m/moodle/moodle_1.9.9.dfsg2-2.debian.tar.gz
moodle_1.9.9.dfsg2-2.dsc
  to main/m/moodle/moodle_1.9.9.dfsg2-2.dsc
moodle_1.9.9.dfsg2-2_all.deb
  to main/m/moodle/moodle_1.9.9.dfsg2-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 601...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tomasz Muras <nexor1...@gmail.com> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 30 Oct 2010 12:19:28 +0100
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.9.9.dfsg2-2
Distribution: unstable
Urgency: low
Maintainer: Moodle Packaging Team 
<pkg-moodle-maintain...@lists.alioth.debian.org>
Changed-By: Tomasz Muras <nexor1...@gmail.com>
Description: 
 moodle     - course management system for online learning
Closes: 596820 601384
Changes: 
 moodle (1.9.9.dfsg2-2) unstable; urgency=low
 .
   * Added Romanian translation
   * Updated Japanese translation (closes: #596820)
   * Backporting security fixes from Moodle 1.9.10 (closes: #601384)
      - Updated embedded CAS to 1.1.3
      - Added patch for MDL-24523:
        clean_text() not filtering text in markdown format
      - Added patch for MDL-24810 and upgraded customized HTML Purifier to 4.2.0
      - Added patch for MDL-24258:
        students can delete their forum posts later than $CFG->maxeditingtime
        under certain conditions
      - Added patch for MDL-23377:
        Can't delete quiz attempts in course without enrolled students
Checksums-Sha1: 
 5bb56b15d5729972a3f01585ab805874d6e60d6f 1694 moodle_1.9.9.dfsg2-2.dsc
 580c0c418323a4028408d3cfaa2ccda466d04945 54211 
moodle_1.9.9.dfsg2-2.debian.tar.gz
 f9e8905abb22106bbc1fa33a6b9e7f340623992e 10043090 moodle_1.9.9.dfsg2-2_all.deb
Checksums-Sha256: 
 395f5808ce57022439b55b6cc74708b966c1cb6caf27cf5d540f5046ae5966c9 1694 
moodle_1.9.9.dfsg2-2.dsc
 70161c22ecd8c119a60a4c6823a35192ab933f4dfc012103f73bbd58c997b531 54211 
moodle_1.9.9.dfsg2-2.debian.tar.gz
 17d35143cc4f75aa890b603cda0e1468748464d4aa6e092b565b386b125cf755 10043090 
moodle_1.9.9.dfsg2-2_all.deb
Files: 
 ae08f91c13bee3ec85f413d1bc5e4c60 1694 web optional moodle_1.9.9.dfsg2-2.dsc
 e3e716d73b854d7621da7f6361d466be 54211 web optional 
moodle_1.9.9.dfsg2-2.debian.tar.gz
 811e4b135b0f48f43671fcceb45e500f 10043090 web optional 
moodle_1.9.9.dfsg2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJMzAB2AAoJEIfMiettfca28vgH/jWO5GKOZORgJXku4StaER+2
PQlGtNLaEL6bcV80C5hInZ0fwzmN02oJ1soOweEIpKZbznb/ARr2n+wgdqAjDftW
OYWRXHpeYS6dBMWf5rYN4gx6A0UGiYg74wEthBWeX72OQb7YY2dJxpU9Awqcwu0D
QPpyKuJZNDSTj6MD6ZyzLtlTvBcVc0OsISNooq8kmufj6azm/NmUnP1NRuBd+OWx
IxVnEwRecrk6W3qc39QQkrGDOGaaPWnY6ZWTA+5qKWdiAox4XyZnbQRQXxKLLanz
UYkOuGzCSzcsXAYT/tlcEg9E8l5H4hOxSSIVhGWuYDHDFJ8FBYX89bGM9b0yjno=
=h1DL
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to