Ubuntu
moodle package

Sync moodle 1.9.9.dfsg2-6 (universe) from Debian unstable, security & l10 fixes

Bug #981920 reported by Jeremy Bícha
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
moodle (Ubuntu)
Fix Released
Undecided
Unassigned
Natty
Won't Fix
Undecided
Unassigned
Oneiric
Won't Fix
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned

Bug Description

Please sync moodle 1.9.9.dfsg2-6 (universe) from Debian unstable (main)

Changelog entries since current natty version 1.9.9.dfsg2-2:

moodle (1.9.9.dfsg2-6) unstable; urgency=high

  * Backporting security fixes from Moodle 1.9.17
     - MSA-12-00013 DB activtity export does not respect groups
         (CVE-2012-1155, closes: #668411)

 -- Tomasz Muras <email address hidden> Thu, 12 Apr 2012 21:55:48 +0100

moodle (1.9.9.dfsg2-5.1) unstable; urgency=low

  * Non-maintainer upload.
  * Fix pending l10n issues. Debconf translations:
    - Danish (Joe Hansen). Closes: #658747
    - Dutch; (Jeroen Schot). Closes: #660243
    - Brazilian Portuguese (Adriano Rafael Gomes). Closes: #668092
    - Italian (Beatrice Torracca). Closes: #668161

 -- Christian Perrier <email address hidden> Tue, 10 Apr 2012 07:36:58 +0200

moodle (1.9.9.dfsg2-5) unstable; urgency=high

  * Backporting security fixes from Moodle 1.9.15 and 1.9.16
    (closes: #652235)
     - MSA-11-0054 Personal information leak
     - MSA-11-0045 Potential to masquerade through MNet (CVE-2011-4584)
     - MSA-11-0046 Insecure authentication transmission (CVE-2011-4585)
     - MSA-11-0047 Possible injection attack in Calendar (CVE-2011-4586)
     - MSA-11-0048 Password loss issue (CVE-2011-4587)
     - MSA-11-0049 Network restriction ineffective with MNet (CVE-2011-4588)
     - MSA-12-0007 Email injection prevention (CVE-2012-0796)
     - MSA-12-0006 Additional email address validation (CVE-2012-0795)
     - MSA-12-0005 Encryption enhancement (CVE-2012-0794)
     - MSA-12-0004 Added profile image security (CVE-2012-0793)
     - MSA-12-0003 Added password protection
     - MSA-12-0002 Personal information leak, previously MSA-11-0040
       (CVE-2011-4308 and CVE-2012-0792)
     - MSA-12-0001 Recaptcha transmission consistency issue

 -- Tomasz Muras <email address hidden> Mon, 27 Feb 2012 21:14:48 +0000

moodle (1.9.9.dfsg2-4) unstable; urgency=high

  * Backporting security fixes from Moodle 1.9.13 and 1.9.14
      - MSA-11-0026 Fields in user upload CSV not being escaped (MDL-28360)
      - MSA-11-0025 Group names in user upload CSV not being escaped (MDL-28197)
      - MSA-11-0024 Recaptcha images were being authenticated
          from an older server (MDL-27889) (closes: #638935)
      - MSA-11-0020 Continue links in error messages can lead offsite (MDL-27464)
      - MSA-11-0038 Database injection protection strengthened (MDL-29033)
      - MSA-11-0037 Course section editing injection vulnerability (MDL-28722)
      - MSA-11-0036 Messaging refresh vulnerability (MDL-29311)
      - MSA-11-0032 MNET SSL validation issue (MDL-29148)
      - MSA-11-0031 Forms API constant issue (MDL-23872)
  * Make sure that smarty & yui symlinks are correct (closes: 603255,614712)

 -- Tomasz Muras <email address hidden> Fri, 28 Oct 2011 13:29:14 +0100

moodle (1.9.9.dfsg2-3) unstable; urgency=high

  * Backporting security fixes from Moodle 1.9.11 and 1.9.12
      - MSA-11-0002 Cross-site request forgery vulnerability in RSS block (MDL-18839)
      - MSA-11-0003 Cross-site scripting vulnerability in tag autocomplete (MDL-25754)
      - MSA-11-0008 IMS enterprise enrolment file may disclose sensitive information (MDL-26189)
      - MSA-11-0011 Multiple cross-site scripting problems in media filter (MDL-26030)
      - MSA-11-0015 Cross Site Scripting through URL encoding (MDL-26966)
      - MSA-11-0013 Group/Quiz permissions issue (MDL-25122)

 -- Tomasz Muras <email address hidden> Wed, 18 May 2011 20:57:59 +0100

moodle (1.9.9.dfsg2-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Fix encoding of Swedish debconf translation.

 -- Christian Perrier <email address hidden> Tue, 11 Jan 2011 22:03:44 +0100

See original description
Tags: sync
Jeremy Bícha (jbicha)
Changed in moodle (Ubuntu):
importance: Undecided → Wishlist
security vulnerability: no → yes
description: updated
Jeremy Bícha (jbicha)
Changed in moodle (Ubuntu):
importance: Wishlist → Undecided
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in moodle (Ubuntu):
status: New → Confirmed
Fabrice Coutadeur (fabricesp)
Changed in moodle (Ubuntu):
assignee: nobody → Fabrice Coutadeur (fabricesp)
status: Confirmed → In Progress
Revision history for this message
Fabrice Coutadeur (fabricesp) wrote :

Sync requested: thanks!

Changed in moodle (Ubuntu):
assignee: Fabrice Coutadeur (fabricesp) → nobody
status: In Progress → Fix Committed
Revision history for this message
Fabrice Coutadeur (fabricesp) wrote :

This bug was fixed in the package moodle - 1.9.9.dfsg2-6
Sponsored for Jeremy Bicha (jbicha)

---------------
moodle (1.9.9.dfsg2-6) unstable; urgency=high

  * Backporting security fixes from Moodle 1.9.17
     - MSA-12-00013 DB activtity export does not respect groups
         (CVE-2012-1155, closes: #668411)

 -- Tomasz Muras <email address hidden> Thu, 12 Apr 2012 21:55:48 +0100

moodle (1.9.9.dfsg2-5.1) unstable; urgency=low

  * Non-maintainer upload.
  * Fix pending l10n issues. Debconf translations:
    - Danish (Joe Hansen). Closes: #658747
    - Dutch; (Jeroen Schot). Closes: #660243
    - Brazilian Portuguese (Adriano Rafael Gomes). Closes: #668092
    - Italian (Beatrice Torracca). Closes: #668161

 -- Christian Perrier <email address hidden> Tue, 10 Apr 2012 07:36:58 +0200

Changed in moodle (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Re-opening since this was fixed for Precise, but it'd be nice if the security fixes were applied to Oneiric and Natty also.

tags: added: sync
Changed in moodle (Ubuntu):
status: Fix Released → New
Fabrice Coutadeur (fabricesp)
Changed in moodle (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Fabrice Coutadeur (fabricesp) wrote :

Hi Jeremy,

For Natty and Oneiric, please follow the SRU (https://wiki.ubuntu.com/StableReleaseUpdates) or the security guide (https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation) process.

Thanks,
Fabrice

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in moodle (Ubuntu Natty):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in moodle (Ubuntu Oneiric):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.