-
moodle (2.7.5+dfsg-3) unstable; urgency=high
* debian/README.Debian: add authors and dates, in order to make status more
clear.
* debian/watch: (trying to) get it working again, with revamped moodle.org website.
* debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1.
* For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630
will not get fixed: it's not a bug: the attack can only get launched by an
administrator, and administrators need to be trusted. See also Debian
bug #775842.
* Fix CVE-2014-4172 and CVE-2014-2054:
- debian/rules, debian/control: don't use CAS client library as shipped with
moodle (unchanged phpCAS 1.3.3, see upstream auth/cas/CAS/moodle_readme.txt)
but php-cas as shipped with Debian (1.3.3-1 and 1.3.1-4+deb7u1); create
symlinks /u/s/m/auth/cas/CAS/CAS.php -> /usr/share/php/CAS.php
and /u/s/m/auth/cas/CAS/CAS -> /usr/share/php/CAS/. This fixes CVE-2014-4172.
- debian/rules: remove /u/s/m/lib/phpexcel from binary package. Remove
lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources. This fixes both a
license problem and a security problem: Although the PHP license is generally
agreed to be DFSG-free, using it as a license on anything that isn't PHP
itself makes the result non-free. PHP OLE is licensed under the PHP license.
Older versions of PHP Excel, such as the one shipped with moodle, suffer from
security problem CVE-2014-2054. See also Debian Bug #718585 "RFP: php-excel".
This closed Debian bug "Multiple security issues"; thanks Moritz Muehlenhoff,
Thijs Kinkhorst and Hubert Chathi (Closes: #775842)
-- Joost van Baal-Ilić <email address hidden> Mon, 09 Mar 2015 12:56:41 +0100
-
moodle (2.7.5+dfsg-2) unstable; urgency=high
* debian/README.Debian: add notes on upgrading.
* debian/TODO: added.
* debian/changelog: add CVE-number to previous entry.
-- Joost van Baal-Ilić <email address hidden> Tue, 10 Feb 2015 14:27:09 +0000
-
moodle (2.7.5+dfsg-1) unstable; urgency=high
* New upstream security release:
Moodle 2.7.5 release notes, Release date: 2 February, 2015: "A number of
security related issues were resolved. Details of these issues will be released
after a period of approximately one week to allow system administrators to
safely update to the latest version." "Here is the full list of fixed issues in 2.7.5:
https://tracker.moodle.org/issues/?jql=project+%3D+mdl+AND+resolution+%3D+fixed+AND+fixVersion+in+%28%222.7.5%22%29+ORDER+BY+priority+DESC"
See also https://docs.moodle.org/dev/Moodle_2.7.5_release_notes .
-- Joost van Baal-Ilić <email address hidden> Mon, 02 Feb 2015 08:38:14 +0000
-
moodle (2.6.3-1) unstable; urgency=medium
* New upstream release.
-- Thijs Kinkhorst <email address hidden> Mon, 12 May 2014 16:10:38 +0200