moodle (2.7.10+dfsg-1) unstable; urgency=high
* New upstream security release, released Sept 21, 2015. Note that the
upstream 2.7 branch is now supported for security fixes only until May 2017
(LTS). Security issues fixed:
- MSA-15-0030: Students can re-attempt answering questions in the lesson,
Reported by Eric Eakin, MDL-50516, CVE-2015-5264
- MSA-15-0031: Teacher in forum can still post to "all participants" and
groups they are not members of, Reported by David Scotson, MDL-50576,
CVE-2015-5272
- MSA-15-0032: Users can delete files uploaded by other users in wiki,
Reported by John Provasnik, MDL-48371, CVE-2015-5265
- MSA-15-0033: Meta course synchronisation enrols suspended students as
managers for a short period of time, Reported by Brian Winstead,
MDL-50744, CVE-2015-5266
- MSA-15-0034: Vulnerability in password recovery mechanism, Reported by
Vincent Herbulot (@us3r777), MDL-50860, CVE-2015-5267
- MSA-15-0035: Rating component does not check separate groups, Reported by
Juan Leyva, MDL-50173, CVE-2015-5268
- MSA-15-0036: XSS in grouping description, Reported by Marina Glancy,
MDL-50709, CVE-2015-5269
See the 21 Sep 2015 post from Marina Glancy at
http://www.openwall.com/lists/oss-security/2015/09/21/1 for more details on
these fixed security issues. Some other fixes and improvements: MDL-51050
- Forms such as "Create new group" are no longer populated with passwords
and usernames by the browsers; MDL-42670 - Recent activity block no longer
shows student name when assignment blind marking is on. See
https://docs.moodle.org/dev/Moodle_2.7.10_release_notes for more details.
Thanks Salvatore Bonaccorso and Thijs Kinkhorst for forwarding the news.
Closes: #799634
* debian/source/lintian-overrides: add comment/comment.js, some
lib/yuilib/3.15.0/**/*-debug.js and
lib/yuilib/2in3/2.9.0/build/yui2-*/*-debug.js files to list of false
positives "source-is-missing". Bug #799861 reported against lintian.
* debian/copyright: clarify license situation of
lib/pear/HTML/QuickForm/DHTMLRulesTableless.php and
lib/pear/HTML/QuickForm/Renderer/Tableless.php. Thanks
Ondřej Surý and Paul Tagliamonte. Closes: #752615
* debian/control: no longer depend upon libphp-pclzip. This dependency was
actually no longer needed since 2.7.5+dfsg-3, when phpexcel got removed.
Thanks David Prévot. Closes: #749609
* debian/changelog: fix entry for 2.7.5+dfsg-3 to properly close 746594.
See also https://tracker.moodle.org/browse/MDL-45395 . Thanks Dan Poltawski
e.a.
-- Joost van Baal-Ilić <email address hidden> Mon, 21 Sep 2015 09:52:15 +0200