Your message dated Fri, 19 Jul 2013 11:33:38 +0000 with message-id <e1v08wm-0004ha...@franck.debian.org> and subject line Bug#703870: fixed in moodle 2.5.1-1 has caused the Debian Bug report #703870, regarding moodle: Multiple security issues reported to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 703870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703870 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: moodle Severity: grave Tags: security Hi, the following vulnerabilities were published for moodle. CVE-2013-1829[0]: Calendar subscription capability issue (this seems not to affect moodle in Debian as versions affected are reported as 2.4 to 2.4.1) CVE-2013-1830[1]: Information leak in course profiles CVE-2013-1831[2]: Server information revealed through exception messages CVE-2013-1832[3]: Password revealed in WebDav repository CVE-2013-1833[4]: Cross-site scripting issue in Filepicker CVE-2012-3363[5]: | Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before | 1.12.0 does not properly handle SimpleXMLElement classes, which allows | remote attackers to read arbitrary files or create TCP connections via | an external entity reference in a DOCTYPE element in an XML-RPC | request, aka an XML external entity (XXE) injection attack. CVE-2013-1834[6]: Form manipulation issue in notes CVE-2013-1835[7]: Personal information leak through repositories CVE-2013-1836[8]: Unauthorised settings editing through WebDav repository If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1829 http://security-tracker.debian.org/tracker/CVE-2013-1829 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1830 http://security-tracker.debian.org/tracker/CVE-2013-1830 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1831 http://security-tracker.debian.org/tracker/CVE-2013-1831 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1832 http://security-tracker.debian.org/tracker/CVE-2013-1832 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1833 http://security-tracker.debian.org/tracker/CVE-2013-1833 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363 http://security-tracker.debian.org/tracker/CVE-2012-3363 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1834 http://security-tracker.debian.org/tracker/CVE-2013-1834 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1835 http://security-tracker.debian.org/tracker/CVE-2013-1835 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1836 http://security-tracker.debian.org/tracker/CVE-2013-1836 Please adjust the affected versions in the BTS as needed. Thank you for your work! Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: moodle Source-Version: 2.5.1-1 We believe that the bug you reported is fixed in the latest version of moodle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 703...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated moodle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 19 Jul 2013 08:52:46 +0200 Source: moodle Binary: moodle Architecture: source all Version: 2.5.1-1 Distribution: unstable Urgency: low Maintainer: Moodle Packaging Team <pkg-moodle-maintain...@lists.alioth.debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: moodle - course management system for online learning Closes: 429339 692626 702387 703870 716972 716986 717080 717108 717278 Changes: moodle (2.5.1-1) unstable; urgency=low . * New upstream version: 2.5.1. - Fixes security issues: CVE-2013-2242 CVE-2013-2243 CVE-2013-2244 CVE-2013-2245 CVE-2013-2246 * Depend on apache2 instead of obsolete apache2-mpm-prefork. * Use packaged libphp-phpmailer (closes: #429339), adodb, HTMLPurifier, PclZip. * Update debconf translations, thanks Salvatore Merone, Pietro Tollot, Joe Hansen, Yuri Kozlov, Holger Wansing, Américo Monteiro, Adriano Rafael Gomes, victory, Michał Kułach. (closes: #716972, #716986, #717080, #717108, #717278) . moodle (2.5-1) unstable; urgency=low . * New upstream version: 2.5. - Removed problematically licenced JSON code (closes: #692626). - Fixes security issues: CVE-2012-3363, CVE-2012-6098, CVE-2012-6099, CVE-2012-6100, CVE-2012-6101, CVE-2012-6103, CVE-2012-6104, CVE-2012-6105, CVE-2012-6112, CVE-2013-1829, CVE-2013-1830, CVE-2013-1831, CVE-2013-1832, CVE-2013-1833, CVE-2013-1834, CVE-2013-1835, CVE-2013-1836, CVE-2013-2080, CVE-2013-2081, CVE-2013-2082, CVE-2013-2083 (closes: #702387, #703870). * FLV player removed, no need to repack source tarball. * Checked for policy 3.9.4, no changes. Updated to debhelper 8. * Use xz compression for binary packages. . moodle (2.2.7.dfsg-1) unstable; urgency=low . * New upstream version: 2.2.7+ (Build: 20130125) . * Fix possible security issue for curl in 3rd party libraries: * phpCAS (CVE-2012-5583) * amazon-s3-php-class (CVE-2012-6087) Checksums-Sha1: 1fa4614462c8e79920b027927d456b761e41d852 1679 moodle_2.5.1-1.dsc 264fba65e6c9b668ca67c7df77d364e335f9b706 31884008 moodle_2.5.1.orig.tar.gz e58bbbd69cb183266fabfb6b3b7bafe522bd23e4 26996 moodle_2.5.1-1.debian.tar.gz 7c5b3b5915429423cfcc9d28fb86989718b9b2af 16709694 moodle_2.5.1-1_all.deb Checksums-Sha256: e8e87b3250d5c5486c2a47a54f69d2fddd602336ab02ef6545a61f7c0ebca91f 1679 moodle_2.5.1-1.dsc 7bb285ba3537334fd3d996b26c84cfa4a08ade2709e598e854ff78b3ba7621ad 31884008 moodle_2.5.1.orig.tar.gz 4355430d52691f2cce866c39f5297d6e490b434171cd031b3c508bd5a162b0b0 26996 moodle_2.5.1-1.debian.tar.gz 7f3c08f7bb86d7fc7c0e8300e0e58031cc5b00b28b72167737ac7d3a34f37151 16709694 moodle_2.5.1-1_all.deb Files: b780f343781c4676be83999bb3fd6367 1679 web optional moodle_2.5.1-1.dsc 8069139025a32c05b3bbd57eb351a40a 31884008 web optional moodle_2.5.1.orig.tar.gz f4ad71751e34a8be5936824f796ca7ab 26996 web optional moodle_2.5.1-1.debian.tar.gz 602a29fc246f20348b4e07129a885d8a 16709694 web optional moodle_2.5.1-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJR6SF9AAoJEFb2GnlAHawECYoIALIWn6/iR9tk4yc+VW4dl+gy FxSjPRS065g+yLZy2eXjEDrQRTRhPsM5McW73S6nrjOIi1cKrc1LnGtWzV2Tcqp2 jHzyBa+RpjlOVM6FkWopkt6Djxn5cyFDdz2D11pZ/XRB4809NBLQ2MtKa7aTiHht sZD+UBQVat+lJtjUZAqN8juuWzsD5MdEsd7Eyn3JA3WPYYjEZimtpjSiy6bDrOTx CfO/mS8OZEqfFWj1xB5qxG8hvAfJqF8KF47i1uR2iEIH+o47HfkV6HpCQSuVa6iD p4PD0ZaK5ozSXctUTIMxtVUxuLryakx4CxCGWpWgYdKGK//dh9XgNwRxr5DeBGk= =tT+q -----END PGP SIGNATURE-----
--- End Message ---
