moodle (3.0.3+dfsg-0ubuntu1) xenial; urgency=medium [ Nishanth Aravamudan ] * New upstream release, as only 3.0.1+ has PHP7 support (LP: #1562172). - https://docs.moodle.org/dev/Moodle_and_PHP7 - https://tracker.moodle.org/browse/MDL-50565 - update d/rules dfsg target. - remove mdeploy*.php from d/install. - d/lintian-overrides, d/source/lintian-overrides: update embedded tinymce, yuilib, jquery versions. - d/rules: update override_dh_lintian. * d/control: update to PHP7.0 dependencies. * d/watch: correct for current releases. [ Steve Langasek ] * Also update lintian overrides for binary packages. * Remove some additional license files. * Drop some no-longer-applicable lintian overrides. -- Steve Langasek Fri, 01 Apr 2016 22:08:56 -0700 moodle (2.7.12+dfsg-1) unstable; urgency=high * New upstream security release, released Jan 11, 2016. Note that the upstream 2.7 branch is supported for security fixes only until May 2017 (LTS). Security issue fixed: - (MSA-16-0001) CVE-2016-0724 Two enrolment-related web services don't check course visibility. Thanks Salvatore Bonaccorso. Closes: #811344 Other fixes and improvements: - MDL-49473 - Logs export contains year - MDL-52194 - Fixed Flowplayer not working with insecure configuration of request_order See https://docs.moodle.org/dev/Moodle_2.7.12_release_notes for more details. * debian/links, debian/rules: delegate creating symlinks to dh_link, via debian/links. This should fix a bug in upgrading: old obsolete symlinks are kept. * debian/rules: no longer install bennu/COPYRIGHT.txt, dragmath/COPYRIGHT.html in usr/share/moodle/lib . * debian/control: get rid of Breaks/Replaces moodle-book: moodle-book was only shipped with squeeze (current oldoldstable). * debian/control: remove Penny Leach , Xavier Oswald from Uploaders: I haven't seen any activity from them since more than one year. Penny, Xavier: you're very much invited to add yourself again. * debian/rules: no longer run debhelper in verbose mode. -- Joost van Baal-Ilić Mon, 18 Jan 2016 08:38:29 +0100 moodle (2.7.11+dfsg-2) unstable; urgency=high * debian/rules: no longer link to content from /usr/share/php-htmlpurifier/library/, but directly to /usr/share/php/HTMLPurifier*. This way, the php-htmlpurifier maintainers can get rid of the compatibility symlink introduced in Debian Jessie. Also: not only link to HTMLPurifier.php and HTMLPurifier.safe-includes.php, but also to HTMLPurifier.autoload.php HTMLPurifier.auto.php HTMLPurifier.func.php HTMLPurifier.includes.php HTMLPurifier.kses.php and HTMLPurifier.path.php. Thanks David Prévot. Closes: #803175 * debian/po/es.po: update spanish translation. Thanks Javier Fernández-Sanguino. Closes: #773567 * debian/control: make installation dependencies more flexible by adding php5-fpm as alternative to libapache2-mod-php5 | php5-cgi. Thanks Detlev Brodowski. Closes: #807072 * debian/rules: replace obsolete "dh binary-indep --before dh_lintian" and "dh binary-indep --remaining" by "override_dh_lintian" and "dh_lintian". Thanks lintian. * debian/changelog: add CVE ID's to entry moodle (2.7.11+dfsg-1). * debian/changelog: in entry moodle (2.7.2+dfsg-3), refer to #754565 and give credit. * debian/changelog: in entry moodle (2.7.2-2), refer to #736800 and give credit. -- Joost van Baal-Ilić Mon, 07 Dec 2015 13:52:32 +0100 moodle (2.7.11+dfsg-1) unstable; urgency=high * New upstream security release, released Nov 9, 2015. Security issues fixed: - (MSA-15-0039) CVE-2015-5335 CSRF in site registration form: Attacker can send admin a link to site registration form that will display correct URL but, if submitted, will register with another hub. It is possible to trick a site/admin into sending aggregate stats to an arbitrary domain. Reported by Andrew Davis; Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091 - (MSA-15-0040) CVE-2015-5336 Student XSS in survey: Standard survey module is vulnerable to XSS attack by students who fill the survey. Reported by Hugh Davenport; Upstream patch: MDL-49940 - (MSA-15-0041) CVE-2015-5337 XSS in flash video player: XSS vulnerability caused by Flowplayer flash video player has been addressed. Reported by Andrew Nicols; MDL-48085 - (MSA-15-0042) CVE-2015-5338 CSRF in lesson login form: Password-protected lesson modules are subject to CSRF vulnerability. Reported by Ankit Agarwal; MDL-48109. - (MSA-15-0043) CVE-2015-5339 Web service core_enrol_get_enrolled_users does not respect course group mode: Through WS core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site. Reported by Daniel Palou; MDL-51861 - (MSA-15-0044) CVE-2015-5340 Capability to view available badges is not respected: Logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges. Capability moodle/badges:viewbadges is not respected. Reported by Marina Glancy; MDL-51684 - (MSA-15-0045) CVE-2015-5341 SCORM module allows to bypass access restrictions based on date: Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction. Reported by Juan Leyva; MDL-50837 - (MSA-15-0046) CVE-2015-5342 Choice module closing date can be bypassed: Users can mock URL to delete or submit new responses after the choice module was closed. Reported by Juan Leyva; MDL-51569 See https://bugzilla.redhat.com/show_bug.cgi?id=1288158 for details. Thanks Adam Mariš @ Red Hat. See also https://moodle.org/mod/forum/discuss.php?d=322852 , published Nov 9, 2015. Other Fixes and improvements: - MDL-51083 - Fixed undesired browser password autofilling in several forms (majority of forms were fixed in MDL-45772 in previous release) - MDL-51190 - Fixed MS Edge locking up when viewing embedded PDF See https://docs.moodle.org/dev/Moodle_2.7.11_release_notes for more details. * debian/source/lintian-overrides: add some more incorrectly flagged javascript files. See lintian bug 802028 (and 799861). -- Joost van Baal-Ilić Fri, 04 Dec 2015 15:12:23 +0100 moodle (2.7.10+dfsg-1) unstable; urgency=high * New upstream security release, released Sept 21, 2015. Security issues fixed: - MSA-15-0030: Students can re-attempt answering questions in the lesson, Reported by Eric Eakin, MDL-50516, CVE-2015-5264 - MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of, Reported by David Scotson, MDL-50576, CVE-2015-5272 - MSA-15-0032: Users can delete files uploaded by other users in wiki, Reported by John Provasnik, MDL-48371, CVE-2015-5265 - MSA-15-0033: Meta course synchronisation enrols suspended students as managers for a short period of time, Reported by Brian Winstead, MDL-50744, CVE-2015-5266 - MSA-15-0034: Vulnerability in password recovery mechanism, Reported by Vincent Herbulot (@us3r777), MDL-50860, CVE-2015-5267 - MSA-15-0035: Rating component does not check separate groups, Reported by Juan Leyva, MDL-50173, CVE-2015-5268 - MSA-15-0036: XSS in grouping description, Reported by Marina Glancy, MDL-50709, CVE-2015-5269 See the 21 Sep 2015 post from Marina Glancy at http://www.openwall.com/lists/oss-security/2015/09/21/1 for more details on these fixed security issues. Some other fixes and improvements: MDL-51050 - Forms such as "Create new group" are no longer populated with passwords and usernames by the browsers; MDL-42670 - Recent activity block no longer shows student name when assignment blind marking is on. See https://docs.moodle.org/dev/Moodle_2.7.10_release_notes for more details. Thanks Salvatore Bonaccorso and Thijs Kinkhorst for forwarding the news. Closes: #799634 * debian/source/lintian-overrides: add comment/comment.js, some lib/yuilib/3.15.0/**/*-debug.js and lib/yuilib/2in3/2.9.0/build/yui2-*/*-debug.js files to list of false positives "source-is-missing". Bug #799861 reported against lintian. * debian/copyright: clarify license situation of lib/pear/HTML/QuickForm/DHTMLRulesTableless.php and lib/pear/HTML/QuickForm/Renderer/Tableless.php. Thanks Ondřej Surý and Paul Tagliamonte. Closes: #752615 * debian/control: no longer depend upon libphp-pclzip. This dependency was actually no longer needed since 2.7.5+dfsg-3, when phpexcel got removed. Thanks David Prévot. Closes: #749609 * debian/changelog: fix entry for 2.7.5+dfsg-3 to properly close 746594. See also https://tracker.moodle.org/browse/MDL-45395 . Thanks Dan Poltawski e.a. -- Joost van Baal-Ilić Mon, 21 Sep 2015 09:52:15 +0200 moodle (2.7.9+dfsg-1) unstable; urgency=high * New upstream security release, released July 6, 2015. Security issues fixed: - MSA-15-0026 Possible phishing when redirecting to external site using referer header, Reported by Totara, MDL-50688, CVE-2015-3272 - MSA-15-0028 Possible XSS through custom text profile fields in Web Services, Reported by Marina Glancy, MDL-50130, CVE-2015-3274 - MSA-15-0029 Javascript injection in SCORM module, Reported by Martin Greenaway, MDL-50614, CVE-2015-3275 See http://www.openwall.com/lists/oss-security/2015/07/13/2 for more details on these fixed security issues. Some other fixes and improvements: MDL-50380 - Fixed missing parameter error when editing files in wiki; MDL-50177 - Upgrading assignments in 2.7/2.8 works even when conditional access is used; MDL-50275 - Added missing version bump after risk bitmap change in MDL-49941. See the Moodle 2.7.9 release notes at https://docs.moodle.org/dev/Moodle_2.7.9_release_notes for more details. Thanks Salvatore Bonaccorso. Closes: #792242 * debian/changelog: fix line length: max 80 columns. -- Joost van Baal-Ilić Thu, 16 Jul 2015 15:44:09 +0200 moodle (2.7.8+dfsg-1) unstable; urgency=high * New upstream security release, released 11 May 2015. Security issues fixed: - MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that, Reported by Hugh Davenport, MDL-49941, CVE-2015-3174 - MSA-15-0019: Possible phishing when redirecting to external site using referer header, Reported by Dingjie Yang, MDL-49179, CVE-2015-3175 - MSA-15-0020: User fullname disclosure through account confirmation link, Reported by: Federico Kirschbaum, MDL-50099, CVE-2015-3176 - MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services, Reported by Eloy Lafuente, MDL-49718, CVE-2015-3178 - MSA-15-0023: Suspended user is able to login when confirming email, Reported by Marina Glancy, MDL-50090, CVE-2015-3179 - MSA-15-0024: User with suspended enrolment can see sections in the navigation tree, Reported by Alex Mitin, MDL-49788, CVE-2015-3180 - MSA-15-0025: Capability to manage own files is not respected in Web Services, Reported by Juan Leyva, MDL-49994, CVE-2015-3181 See http://www.openwall.com/lists/oss-security/2015/05/18/1 for more details on these fixed security issues. Some other fixes: MDL-48187 - Fixed problem with new items automatically marked as extra credit in SWM category in Gradebook; MDL-42449 - Grade category is preserved when duplicating a module; MDL-46746, MDL-47003, MDL-47002 - Atto editor HTML cleaning is less aggressive and more aware of special tags, especially noticeable when pasting text from Word. See the Moodle 2.7.8 release notes at https://docs.moodle.org/dev/Moodle_2.7.8_release_notes for more details. Thanks Salvatore Bonaccorso. Closes: #785591 * debian/watch: fix syntax. -- Joost van Baal-Ilić Fri, 22 May 2015 10:34:59 +0200 moodle (2.7.7+dfsg-2) unstable; urgency=high * debian/install: now installs scripts mdeploy.php and mdeploytest.php. * debian/install: now installs the directory "availability", thanks Maarten Horden and Oscar Diaz (Closes: #778422). * debian/changelog: Add some extra information on issues fixed in entry moodle (2.7.7+dfsg-1)), thanks Marina Glancy and Thijs Kinkhorst. * debian/changelog: Add some extra information on CVE-2013-3630 in entry moodle (2.7.5+dfsg-3), thanks Marina Glancy. -- Joost van Baal-Ilić Tue, 17 Mar 2015 14:20:39 +0100 moodle (2.7.7+dfsg-1) unstable; urgency=high * New upstream security release, released 10 March 2015. (Moodle 2.7.6 was released 9 March 2015). Issues fixed: - MSA-15-0010: Personal contacts and number of unread messages can be revealed, Reported by Barry Oosthuizen, MDL-49204, CVE-2015-2266 - MSA-15-0011: Authentication in mdeploy can be bypassed. Reported by Frédéric Massart, MDL-49087 CVE-2015-2267 - MSA-15-0012: ReDoS Possible with Convert links to URLs filter. Reported by Rob, MDL-38466, CVE-2015-2268 - MSA-15-0013: Block title not properly escaped and may cause HTML injection. Reported by Gjoko Krstic, MDL-49144, CVE-2015-2269 - MSA-15-0014: Potential information disclosure for the inaccessible courses. Reported by Sam Hemelryk, MDL-48804, CVE-2015-2270 - MSA-15-0015: User without proper permission is able to mark the tag as inappropriate, Reported by Frédéric Massart, MDL-49084, CVE-2015-2271 - MSA-15-0016: Web services token can be created for user with temporary password. Reported by Juan Leyva, MDL-48691, CVE-2015-2272 - MSA-15-0017: XSS in quiz statistics report. Reported by Tim Hunt, MDL-49364, CVE-2015-2273 * debian/changelog: enhance 2.7.2-1 entry: add note on upstream long term support of this 2.7 branch. * debian/TODO: add some build instructions. * debian/control: more strict php-cas dependency: known to break with 1.3.1-4+deb7u1, known to work with 1.3.3-1. -- Joost van Baal-Ilić Tue, 10 Mar 2015 14:12:49 +0100 moodle (2.7.5+dfsg-3) unstable; urgency=high * debian/README.Debian: add authors and dates, in order to make status more clear. * debian/watch: (trying to) get it working again, with revamped moodle.org website. * debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1. * For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630 will not get fixed: it's not a bug: the attack can only get launched by an administrator, and administrators need to be trusted. Sites that provide shared hosting and want to prevent the Moodle admin user from being able to set executable paths can also use: "$CFG->preventexecpath = true;". See also Debian bug #775842 and Moodle issue MDL-41449. * Fix CVE-2014-4172 and CVE-2014-2054: - debian/rules, debian/control: don't use CAS client library as shipped with moodle (unchanged phpCAS 1.3.3, see upstream auth/cas/CAS/moodle_readme.txt) but php-cas as shipped with Debian (1.3.3-1 and 1.3.1-4+deb7u1); create symlinks /u/s/m/auth/cas/CAS/CAS.php -> /usr/share/php/CAS.php and /u/s/m/auth/cas/CAS/CAS -> /usr/share/php/CAS/. This fixes CVE-2014-4172. - debian/rules: remove /u/s/m/lib/phpexcel from binary package. Remove lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources. This fixes both a license problem and a security problem: Although the PHP license is generally agreed to be DFSG-free, using it as a license on anything that isn't PHP itself makes the result non-free. PHP OLE is licensed under the PHP license. Older versions of PHP Excel, such as the one shipped with moodle, suffer from security problem CVE-2014-2054. See also Debian Bug #718585 "RFP: php-excel". (Closes: #746594) This closed Debian bug "Multiple security issues"; thanks Moritz Muehlenhoff, Thijs Kinkhorst and Hubert Chathi (Closes: #775842) -- Joost van Baal-Ilić Mon, 09 Mar 2015 12:56:41 +0100 # For older changelog entries, run 'apt-get changelog moodle'