Changelog
moodle (2.7.11+dfsg-1) unstable; urgency=high
* New upstream security release, released Nov 9, 2015. Note that the
upstream 2.7 branch is now supported for security fixes only until May 2017
(LTS). Security issues fixed:
- MSA-15-0039 CSRF in site registration form
- MSA-15-0040 Student XSS in survey
- MSA-15-0041 XSS in flash video player
- MSA-15-0042 CSRF in lesson login form
- MSA-15-0043 Web service core_enrol_get_enrolled_users does not respect
course group mode
- MSA-15-0044 Capability to view available badges is not respected
- MSA-15-0045 SCORM module allows one to bypass access restrictions based on
date
- MSA-15-0046 Choice module closing date can be bypassed
(In https://moodle.org/mod/forum/discuss.php?d=322852 at Monday, November 9,
2015, 9:17 AM Marina Glancy wrote: "we'll publish details more widely in a
week." As of december 4, no CVE's seem to have been assigned.)
Other Fixes and improvements:
- MDL-51083 - Fixed undesired browser password autofilling in several forms
(majority of forms were fixed in MDL-45772 in previous release)
- MDL-51190 - Fixed MS Edge locking up when viewing embedded PDF
See https://docs.moodle.org/dev/Moodle_2.7.11_release_notes for more
details.
* debian/source/lintian-overrides: add some more incorrectly flagged
javascript files. See lintian bug 802028 (and 799861).
-- Joost van Baal-Ilić <email address hidden> Fri, 04 Dec 2015 15:12:23 +0100