Bug#559531: marked as done (moodle: Security fixes released )

Mon, 11 Jan 2010 12:02:02 -0800 

Your message dated Mon, 11 Jan 2010 19:48:27 +0000
with message-id <[email protected]>
and subject line Bug#559531: fixed in moodle 1.8.2.dfsg-6
has caused the Debian Bug report #559531,
regarding moodle: Security fixes released 
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
559531: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559531
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: moodle
Version: 1.8.2.dfsg-3+lenny2
Severity: grave
Tags: security
Justification: user security hole

A serie of security issues are fixed on 1.8.11, also salted passwords are 
enabled for new installations.
http://docs.moodle.org/en/Moodle_1.8.11_release_notes

 Security issues

    * MSA-09-0022 - Multiple CSRF problems fixed
    * MSA-09-0023 - Fixed user account disclosure in LAMS module
    * MSA-09-0024 - Fixed insufficient access control in Glossary module
    * MSA-09-0025 - Unneeded MD5 hashes removed from user table
    * MSA-09-0026 - Fixed invalid application access control in MNET interface
    * MSA-09-0027 - Ensured login information is always sent secured when using 
SSL for logins
    * MSA-09-0028 - Passwords and secrets are no longer ever saved in backups, 
new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for 
controlling who can backup/restore user data
    * MSA-09-0029 - Enabling a password salt in encouraged in config.php and 
admins are forced to change password after the upgrade
    * MSA-09-0031 - Fixed SQL injection in SCORM module 

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (900, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages moodle depends on:
ii  apache2-mpm-prefor 2.2.9-10+lenny6       Apache HTTP Server - traditional n
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  mimetex            1.50-1+lenny1         LaTeX math expressions to anti-ali
ii  mysql-client-5.0 [ 5.0.51a-24+lenny2     MySQL database client binaries
ii  php5-cli           5.2.6.dfsg.1-1+lenny4 command-line interpreter for the p
ii  php5-curl          5.2.6.dfsg.1-1+lenny4 CURL module for php5
ii  php5-gd            5.2.6.dfsg.1-1+lenny4 GD module for php5
ii  php5-mysql         5.2.6.dfsg.1-1+lenny4 MySQL module for php5
ii  smarty             2.6.20-1.2            Template engine for PHP
ii  ucf                3.0016                Update Configuration File: preserv
ii  wwwconfig-common   0.1.2                 Debian web auto configuration
ii  yui                2.5.0-1               Yahoo User Interface Library
ii  zip                2.32-1                Archiver for .zip files

Versions of packages moodle recommends:
ii  mysql-server-5.0 [ 5.0.51a-24+lenny2     MySQL database server binaries
ii  php5-ldap          5.2.6.dfsg.1-1+lenny4 LDAP module for php5

moodle suggests no packages.

-- debconf-show failed

--- End Message ---
--- Begin Message --- 
Source: moodle
Source-Version: 1.8.2.dfsg-6

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:

moodle_1.8.2.dfsg-6.diff.gz
  to main/m/moodle/moodle_1.8.2.dfsg-6.diff.gz
moodle_1.8.2.dfsg-6.dsc
  to main/m/moodle/moodle_1.8.2.dfsg-6.dsc
moodle_1.8.2.dfsg-6_all.deb
  to main/m/moodle/moodle_1.8.2.dfsg-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hubert Chathi <[email protected]> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Thu, 07 Jan 2010 14:54:54 -0500
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.8.2.dfsg-6
Distribution: unstable
Urgency: low
Maintainer: Moodle Packaging Team <[email protected]>
Changed-By: Hubert Chathi <[email protected]>
Description: 
 moodle     - Course Management System for Online Learning
Closes: 511202 559531
Changes: 
 moodle (1.8.2.dfsg-6) unstable; urgency=low
 .
   [Penny Leach]
   [ Cherry picked commits from our other branches ]
   * Security fixes from lenny ( ca557bfaec1d155e955733686ae6916793e6adc7 )
     - MSA-09-0019: SQL injection in update_record
     - MSA-09-0022: Multiple CSRF vunrabilities (CVE-2009-4297)
     - MSA-09-0023: User account disclosure in LAMS module (CVE-2009-4298)
     - MSA-09-0024: Insufficient access control in glossary (CVE-2009-4299)
     - MSA-09-0026: Invalid application access control in MNET interface 
(CVE-2009-4301)
     - MSA-09-0028: Multiple backup/restore related issues (CVE-2009-4303)
     - MSA-09-0031: SQL injection in SCORM module (CVE-2009-4305)
     - Closes: #559531
   * Swedish translation from unfinished 1.9: 
da50a5742f4fabf68aa156d81f98e09be34060bc
     (Closes: #511202)
   * debconf-updatepo from unfinished 1.9: 
f525b18d6abd5c796c8cadce6137afd61dd2a4a7
 .
   [Hubert Chathi]
   * move po-debconf to Build-Depends, rather than Build-Depends-Indep (fixes 
lintian
     error, regarding policy section 7.7)
   [ Cherry picked commits from our other branches ]
   * Another security fix from lenny ( 9604c6d5b191abaf4e3cc47e7b297984a289769f 
)
    - MSA-09-0027: Login information can be sent unsecured even when site is 
configured
      to use SSL for logins (CVE-2009-4302)
Checksums-Sha1: 
 cd5088ab5864bb2748064e15df5768aafc45a3e5 1304 moodle_1.8.2.dfsg-6.dsc
 d8b9e233d02ddad3c5a32b4d5aa5dcdee7757d30 69864 moodle_1.8.2.dfsg-6.diff.gz
 5f38213214fc16c7e426a2a63fa3ea608a2a7285 8630926 moodle_1.8.2.dfsg-6_all.deb
Checksums-Sha256: 
 c46133a69a9ae08fa0086be21f4bac6e1d3c4754420ca1a8ab625f8ec93ac708 1304 
moodle_1.8.2.dfsg-6.dsc
 1afab0ce1025c2a7363392e9904c12d7470d4636182030007d29915c85ca2618 69864 
moodle_1.8.2.dfsg-6.diff.gz
 9420c367b2a0390bd5cc8f713c7df7fee4dde9f82595139f77300e86022cd3d6 8630926 
moodle_1.8.2.dfsg-6_all.deb
Files: 
 99626a179c768729cb5c81fd57712567 1304 web optional moodle_1.8.2.dfsg-6.dsc
 bafe61f7ad4ff9f168f4e2e5acaafed5 69864 web optional moodle_1.8.2.dfsg-6.diff.gz
 02e7b1666faabe1c9b5d1f780b1c44ad 8630926 web optional 
moodle_1.8.2.dfsg-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAktLfqMACgkQrynHGRJLYfpNjQCgkGF/NaYxJsaTmaDK/mUQtARH
g5QAnA0IHXghHqXCwFdAvSnBnl/vGj2v
=KRny
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to