Bug#508593: marked as done (CVE-2008-5432: Cross-site scripting (XSS) vulnerability via a Wiki page name)

Debian Bug Tracking System Tue, 16 Dec 2008 00:21:33 -0800

Your message dated Tue, 16 Dec 2008 07:47:05 +0000
with message-id <[email protected]>
and subject line Bug#508593: fixed in moodle 1.8.2.dfsg-1
has caused the Debian Bug report #508593,
regarding CVE-2008-5432: Cross-site scripting (XSS) vulnerability via a Wiki 
page name
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
508593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508593
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: moodle
Version: 1.6.3-2
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
moodle.

CVE-2008-5432[1]:
> Cross-site scripting (XSS) vulnerability in Moodle before 1.6.8, 1.7 before
> 1.7.6, 1.8 before 1.8.7, and 1.9 before 1.9.3 allows remote attackers to
> inject arbitrary web script or HTML via a Wiki page name (aka page title).

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5432
     http://security-tracker.debian.net/tracker/CVE-2008-5432

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: moodle
Source-Version: 1.8.2.dfsg-1

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:

moodle_1.8.2.dfsg-1.diff.gz
  to pool/main/m/moodle/moodle_1.8.2.dfsg-1.diff.gz
moodle_1.8.2.dfsg-1.dsc
  to pool/main/m/moodle/moodle_1.8.2.dfsg-1.dsc
moodle_1.8.2.dfsg-1_all.deb
  to pool/main/m/moodle/moodle_1.8.2.dfsg-1_all.deb
moodle_1.8.2.dfsg.orig.tar.gz
  to pool/main/m/moodle/moodle_1.8.2.dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francois Marier <[email protected]> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 16 Dec 2008 20:24:27 +1300
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.8.2.dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Moodle Packaging Team <[email protected]>
Changed-By: Francois Marier <[email protected]>
Description: 
 moodle     - Course Management System for Online Learning
Closes: 507947 508593
Changes: 
 moodle (1.8.2.dfsg-1) unstable; urgency=high
 .
   * Replace html2text with a GPL alternative (closes: #507947)
   * Fix XSS in the wiki module (CVE-2008-5432, closes: #508593)
   * Add Dan Poltawski to the uploaders field
Checksums-Sha1: 
 550bd3e04422d3c9b28326febb5f43c5f8fa0dbe 1362 moodle_1.8.2.dfsg-1.dsc
 28298d5b8916387091c2e411d6757c48669ae26a 10162497 moodle_1.8.2.dfsg.orig.tar.gz
 69f8d7ae7e964477530e035fdd3c226f56992d79 33471 moodle_1.8.2.dfsg-1.diff.gz
 8fba3fc32c66710516da323514b3523d3776175d 8720910 moodle_1.8.2.dfsg-1_all.deb
Checksums-Sha256: 
 1ff40fb4cd5e799dd748ea2339322b9f5da1ee6f5adf1d8d1591f185e6efd018 1362 
moodle_1.8.2.dfsg-1.dsc
 c67ebeba04320ab43f7ade9f1c685cfcdb327184428382c10b02fb4a2a76e7a2 10162497 
moodle_1.8.2.dfsg.orig.tar.gz
 b1541914fa82591f7a34f1ef863444ec76ca9bf47c701b8b27b8c3ccb7e35a68 33471 
moodle_1.8.2.dfsg-1.diff.gz
 f35a953425e8d6249d5e780acd6596b68acea826dd044a7b2f66ce14d13669c3 8720910 
moodle_1.8.2.dfsg-1_all.deb
Files: 
 bcb0cfde4b6f1ca0766032ddd64266c0 1362 web optional moodle_1.8.2.dfsg-1.dsc
 d116f83641c70216a94168aa2c303004 10162497 web optional 
moodle_1.8.2.dfsg.orig.tar.gz
 5741d3630ecfab96f43861853370281f 33471 web optional moodle_1.8.2.dfsg-1.diff.gz
 7f49682873006f3145bc2ab5a815c8e5 8720910 web optional 
moodle_1.8.2.dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklHWCgACgkQScUZKBnQNIa1KgCbBOMeRrzxNGwIPMh58NlwxaJd
4+AAnRfsv/yEnvWGuex+wDZqSjAKTa3X
=tHi5
-----END PGP SIGNATURE-----

--- End Message ---

Bug#508593: marked as done (CVE-2008-5432: Cross-site scripting (XSS) vulnerability via a Wiki page name)

Reply via email to