-
moodle (3.0.3+dfsg-0ubuntu1) xenial; urgency=medium
[ Nishanth Aravamudan ]
* New upstream release, as only 3.0.1+ has PHP7 support
(LP: #1562172).
- https://docs.moodle.org/dev/Moodle_and_PHP7
- https://tracker.moodle.org/browse/MDL-50565
- update d/rules dfsg target.
- remove mdeploy*.php from d/install.
- d/lintian-overrides, d/source/lintian-overrides: update embedded
tinymce, yuilib, jquery versions.
- d/rules: update override_dh_lintian.
* d/control: update to PHP7.0 dependencies.
* d/watch: correct for current releases.
[ Steve Langasek ]
* Also update lintian overrides for binary packages.
* Remove some additional license files.
* Drop some no-longer-applicable lintian overrides.
-- Steve Langasek <email address hidden> Fri, 01 Apr 2016 22:08:56 -0700
-
moodle (2.7.12+dfsg-1) unstable; urgency=high
* New upstream security release, released Jan 11, 2016. Note that the
upstream 2.7 branch is supported for security fixes only until May 2017
(LTS). Security issue fixed:
- (MSA-16-0001) CVE-2016-0724 Two enrolment-related web services don't check
course visibility. Thanks Salvatore Bonaccorso. Closes: #811344
Other fixes and improvements:
- MDL-49473 - Logs export contains year
- MDL-52194 - Fixed Flowplayer not working with insecure configuration of
request_order
See https://docs.moodle.org/dev/Moodle_2.7.12_release_notes for more
details.
* debian/links, debian/rules: delegate creating symlinks to dh_link, via
debian/links. This should fix a bug in upgrading: old obsolete symlinks are
kept.
* debian/rules: no longer install bennu/COPYRIGHT.txt, dragmath/COPYRIGHT.html
in usr/share/moodle/lib .
* debian/control: get rid of Breaks/Replaces moodle-book: moodle-book was only
shipped with squeeze (current oldoldstable).
* debian/control: remove Penny Leach <penny /a/ mjollnir 0 org>, Xavier Oswald
<xoswald@d.o> from Uploaders: I haven't seen any activity from them since
more than one year. Penny, Xavier: you're very much invited to add yourself
again.
* debian/rules: no longer run debhelper in verbose mode.
-- Joost van Baal-Ilić <email address hidden> Mon, 18 Jan 2016 08:38:29 +0100
-
moodle (2.7.11+dfsg-2) unstable; urgency=high
* debian/rules: no longer link to content from
/usr/share/php-htmlpurifier/library/, but directly to
/usr/share/php/HTMLPurifier*. This way, the php-htmlpurifier maintainers
can get rid of the compatibility symlink introduced in Debian Jessie.
Also: not only link to HTMLPurifier.php and HTMLPurifier.safe-includes.php,
but also to HTMLPurifier.autoload.php HTMLPurifier.auto.php
HTMLPurifier.func.php HTMLPurifier.includes.php HTMLPurifier.kses.php and
HTMLPurifier.path.php. Thanks David Prévot. Closes: #803175
* debian/po/es.po: update spanish translation. Thanks
Javier Fernández-Sanguino. Closes: #773567
* debian/control: make installation dependencies more flexible by adding
php5-fpm as alternative to libapache2-mod-php5 | php5-cgi. Thanks Detlev
Brodowski. Closes: #807072
* debian/rules: replace obsolete "dh binary-indep --before dh_lintian" and
"dh binary-indep --remaining" by "override_dh_lintian" and "dh_lintian".
Thanks lintian.
* debian/changelog: add CVE ID's to entry moodle (2.7.11+dfsg-1).
* debian/changelog: in entry moodle (2.7.2+dfsg-3), refer to #754565 and
give credit.
* debian/changelog: in entry moodle (2.7.2-2), refer to #736800 and give
credit.
-- Joost van Baal-Ilić <email address hidden> Mon, 07 Dec 2015 13:52:32 +0100
-
moodle (2.7.11+dfsg-1) unstable; urgency=high
* New upstream security release, released Nov 9, 2015. Note that the
upstream 2.7 branch is now supported for security fixes only until May 2017
(LTS). Security issues fixed:
- MSA-15-0039 CSRF in site registration form
- MSA-15-0040 Student XSS in survey
- MSA-15-0041 XSS in flash video player
- MSA-15-0042 CSRF in lesson login form
- MSA-15-0043 Web service core_enrol_get_enrolled_users does not respect
course group mode
- MSA-15-0044 Capability to view available badges is not respected
- MSA-15-0045 SCORM module allows one to bypass access restrictions based on
date
- MSA-15-0046 Choice module closing date can be bypassed
(In https://moodle.org/mod/forum/discuss.php?d=322852 at Monday, November 9,
2015, 9:17 AM Marina Glancy wrote: "we'll publish details more widely in a
week." As of december 4, no CVE's seem to have been assigned.)
Other Fixes and improvements:
- MDL-51083 - Fixed undesired browser password autofilling in several forms
(majority of forms were fixed in MDL-45772 in previous release)
- MDL-51190 - Fixed MS Edge locking up when viewing embedded PDF
See https://docs.moodle.org/dev/Moodle_2.7.11_release_notes for more
details.
* debian/source/lintian-overrides: add some more incorrectly flagged
javascript files. See lintian bug 802028 (and 799861).
-- Joost van Baal-Ilić <email address hidden> Fri, 04 Dec 2015 15:12:23 +0100
-
moodle (2.7.10+dfsg-1) unstable; urgency=high
* New upstream security release, released Sept 21, 2015. Note that the
upstream 2.7 branch is now supported for security fixes only until May 2017
(LTS). Security issues fixed:
- MSA-15-0030: Students can re-attempt answering questions in the lesson,
Reported by Eric Eakin, MDL-50516, CVE-2015-5264
- MSA-15-0031: Teacher in forum can still post to "all participants" and
groups they are not members of, Reported by David Scotson, MDL-50576,
CVE-2015-5272
- MSA-15-0032: Users can delete files uploaded by other users in wiki,
Reported by John Provasnik, MDL-48371, CVE-2015-5265
- MSA-15-0033: Meta course synchronisation enrols suspended students as
managers for a short period of time, Reported by Brian Winstead,
MDL-50744, CVE-2015-5266
- MSA-15-0034: Vulnerability in password recovery mechanism, Reported by
Vincent Herbulot (@us3r777), MDL-50860, CVE-2015-5267
- MSA-15-0035: Rating component does not check separate groups, Reported by
Juan Leyva, MDL-50173, CVE-2015-5268
- MSA-15-0036: XSS in grouping description, Reported by Marina Glancy,
MDL-50709, CVE-2015-5269
See the 21 Sep 2015 post from Marina Glancy at
http://www.openwall.com/lists/oss-security/2015/09/21/1 for more details on
these fixed security issues. Some other fixes and improvements: MDL-51050
- Forms such as "Create new group" are no longer populated with passwords
and usernames by the browsers; MDL-42670 - Recent activity block no longer
shows student name when assignment blind marking is on. See
https://docs.moodle.org/dev/Moodle_2.7.10_release_notes for more details.
Thanks Salvatore Bonaccorso and Thijs Kinkhorst for forwarding the news.
Closes: #799634
* debian/source/lintian-overrides: add comment/comment.js, some
lib/yuilib/3.15.0/**/*-debug.js and
lib/yuilib/2in3/2.9.0/build/yui2-*/*-debug.js files to list of false
positives "source-is-missing". Bug #799861 reported against lintian.
* debian/copyright: clarify license situation of
lib/pear/HTML/QuickForm/DHTMLRulesTableless.php and
lib/pear/HTML/QuickForm/Renderer/Tableless.php. Thanks
Ondřej Surý and Paul Tagliamonte. Closes: #752615
* debian/control: no longer depend upon libphp-pclzip. This dependency was
actually no longer needed since 2.7.5+dfsg-3, when phpexcel got removed.
Thanks David Prévot. Closes: #749609
* debian/changelog: fix entry for 2.7.5+dfsg-3 to properly close 746594.
See also https://tracker.moodle.org/browse/MDL-45395 . Thanks Dan Poltawski
e.a.
-- Joost van Baal-Ilić <email address hidden> Mon, 21 Sep 2015 09:52:15 +0200
-
moodle (2.7.9+dfsg-1) unstable; urgency=high
* New upstream security release, released July 6, 2015. Note that the upstream
2.7 branch is now supported for security fixes only until May 2017 (LTS).
Security issues fixed:
- MSA-15-0026 Possible phishing when redirecting to external site using
referer header, Reported by Totara, MDL-50688, CVE-2015-3272
- MSA-15-0028 Possible XSS through custom text profile fields in Web
Services, Reported by Marina Glancy, MDL-50130, CVE-2015-3274
- MSA-15-0029 Javascript injection in SCORM module, Reported by Martin
Greenaway, MDL-50614, CVE-2015-3275
See http://www.openwall.com/lists/oss-security/2015/07/13/2 for more details
on these fixed security issues. Some other fixes and improvements:
MDL-50380 - Fixed missing parameter error when editing files in wiki;
MDL-50177 - Upgrading assignments in 2.7/2.8 works even when conditional
access is used; MDL-50275 - Added missing version bump after risk bitmap
change in MDL-49941. See the Moodle 2.7.9 release notes at
https://docs.moodle.org/dev/Moodle_2.7.9_release_notes for more details.
Thanks Salvatore Bonaccorso. Closes: #792242
* debian/changelog: fix line length: max 80 columns.
-- Joost van Baal-Ilić <email address hidden> Thu, 16 Jul 2015 15:44:09 +0200
