Changelog
moodle (2.7.8+dfsg-1) unstable; urgency=high
* New upstream security release, released 11 May 2015. Note that the upstream
2.7 branch is now supported for security fixes only until May 2017 (LTS).
Security issues fixed:
- MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare
that, Reported by Hugh Davenport, MDL-49941, CVE-2015-3174
- MSA-15-0019: Possible phishing when redirecting to external site using
referer header, Reported by Dingjie Yang, MDL-49179, CVE-2015-3175
- MSA-15-0020: User fullname disclosure through account confirmation link,
Reported by: Federico Kirschbaum, MDL-50099, CVE-2015-3176
- MSA-15-0022: Potential XSS risk when returning text entered by student
from Web Services, Reported by Eloy Lafuente, MDL-49718, CVE-2015-3178
- MSA-15-0023: Suspended user is able to login when confirming email,
Reported by Marina Glancy, MDL-50090, CVE-2015-3179
- MSA-15-0024: User with suspended enrolment can see sections in the
navigation tree, Reported by Alex Mitin, MDL-49788, CVE-2015-3180
- MSA-15-0025: Capability to manage own files is not respected in Web
Services, Reported by Juan Leyva, MDL-49994, CVE-2015-3181
See http://www.openwall.com/lists/oss-security/2015/05/18/1 for more details
on these fixed security issues. Some other fixes: MDL-48187 - Fixed problem
with new items automatically marked as extra credit in SWM category in
Gradebook; MDL-42449 - Grade category is preserved when duplicating a module;
MDL-46746, MDL-47003, MDL-47002 - Atto editor HTML cleaning is less aggressive
and more aware of special tags, especially noticeable when pasting text from
Word. See the Moodle 2.7.8 release notes at
https://docs.moodle.org/dev/Moodle_2.7.8_release_notes for more details.
Thanks Salvatore Bonaccorso. Closes: #785591
* debian/watch: fix syntax.
-- Joost van Baal-Ilić <email address hidden> Fri, 22 May 2015 10:34:59 +0200