This bug was fixed in the package moodle - 1.9.4.dfsg-0ubuntu1 --------------- moodle (1.9.4.dfsg-0ubuntu1) jaunty; urgency=low * Merge with Debian git (Closes LP: #322961, #239481, #334611): - use Ubuntu's smarty lib directory for linking - use internal yui library - add update-notifier support back in [Matt Oquist] * renamed prerm script * significantly rewrote postinst and other maintainer scripts to improve user experience and package maintainability (Closes LP: #225662, #325450, #327843, #303078, #234609) moodle (1.9.4.dfsg-1) UNRELEASED; urgency=low * New Upstream Version (closes: #475535, #514284, #515823) (added notes/ and tag/ to debian/install) * Merge with Ubuntu: - drop use of wwwconfig (closes: #389502, #302205) - debian/postinst: ucf fixes (fixes a hang) * Remove preinst (no more direct upgrades from sarge) * Remove PHP4 support from the Apache config file we provide * Drop support for apache 1.x and remove from debconf * Add swedish debconf translation (closes: #511202) * Bump debhelper compatibility to 7 * Add lintian overrides for known customised libraries * Add new license files to delete (lintian warning) * Compress the deb with bzip2 * Add a watch file * Update copyright file Dependencies: * Depend on libjs-yui instead of yui (renamed after lenny) * Add dependency on unzip * Recommend php5-xmlrpc and aspell * Suggest clamav * Demoted mimetex to recommended Generated config: * Turn 'dbpersist' on by default in the generated config.php * Include whitespace warning at the end of generated config.php * Set the path to du, unzip and zip moodle (1.8.2.dfsg-4) unstable; urgency=high * Improve the fix for log URL filtering as suggested by Steffen Joeris (MSA-09-0007 / CVE-2009-0500) * Backport upstream fix for calendar export leakage (MSA-09-0006 / CVE-2009-0501) moodle (1.8.2.dfsg-3) unstable; urgency=high * Delete unused (but vulnerable) Spellchecker plugin to htmlarea (MSA-09-0005, CVE-2008-5153) * Hide images of deleted users (MSA-09-0001) * Fix user pix disclosure (MSA-09-0002) * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004) * Fix XSS vulnerabilities in logs (MSA-09-0007) * Fix CSRF vulnerability in forum code (MSA-09-0008) moodle (1.8.2.dfsg-2) unstable; urgency=high [ Dan Poltawski ] * Patch SQL injection bug in hotpot module (MSA-08-0010) * Fix XSS bug in logged urls (MDL-11414) * Fix XSS bug in install script (MSA-08-0004) * Fix insufficient access control in Login as feature (MSA-08-0003) * Profiles of deleted users were accessible allowing for spam (MSA-08-0015) * Deficincy in text cleaning functions allowed for XSS (MSA-08-0021) * Fix CSRF in messaging settings (MSA-08-0023) * Fix anonymous group creation and html injection (MDL-11759) * Fix SQL injection bug in mnet (MDL-9288) * Fix SQL injection bug in restore (MDL-11857) * Insufficient cleaning of essay questions (MDL-12079) * Fix insufficient cleaning of PARAM_HOST (MDL-12793) * Fix XSS bug in logged urls (MDL-11414) * Fix uncleaned params in wiki (MDL-14806) [ Francois Marier ] * Update html2text to prevent code execution attacks (closes: #508909) moodle (1.8.2.dfsg-1) unstable; urgency=high * Replace html2text with a GPL alternative (closes: #507947) * Fix XSS in the wiki module (CVE-2008-5432, closes: #508593) * Add Dan Poltawski to the uploaders field moodle (1.8.2-2) unstable; urgency=high * Adopt orphaned package (closes: #494642) * Acknowledge security NMU (closes: #489533, #432264) * Add Vcs-* fields to debian/control Release-critical and security bugs: * Depend on smarty instead of using the embedded copy that is shipped with Moodle (closes: #471158, #488525, #504345) * Patch security bug in the embedded (and customised) copy of phpmailer (CVE-2007-3215, closes: #429339, #429190) * Patch cross-site scripting bug (CVE-2008-3326, closes: #492492) * Patch snoopy input sanitising (CVE-2008-4796, closes: #504235) * Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069) Trivial bug fixes: * Depend on zip (closes: #408995) * Add mysql-client as an alternative to postgresql-client (closes: #417554, #469094) * Recommend php5-ldap (closes: #425839) * Delete unnecessary script with bashisms (closes: #489634) Lintian warnings: * Bump Standards-Version to 3.8.0 * Add homepage field to debian/control * Remove cvsignore file * Remove extra license file * Depend on yui instead of using an embedded copy moodle (1.8.2-1.3) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix broken HTML filtering which could be used to perform XSS attacks, bypass restrictions or possibly execute arbitrary code (CVE-2008-1502; Closes: #489533). -- Jordan Mantha