Your message dated Mon, 09 Mar 2015 12:04:35 +0000 with message-id <[email protected]> and subject line Bug#775842: fixed in moodle 2.7.5+dfsg-3 has caused the Debian Bug report #775842, regarding moodle: Multiple security issues to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 775842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775842 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: moodle Severity: grave Tags: security Justification: user security hole The current Moodle package in the archive is affected by multiple security issues: Cheers, Moritz https://security-tracker.debian.org/tracker/CVE-2015-0218 https://security-tracker.debian.org/tracker/CVE-2015-0217 https://security-tracker.debian.org/tracker/CVE-2015-0216 https://security-tracker.debian.org/tracker/CVE-2015-0215 https://security-tracker.debian.org/tracker/CVE-2015-0214 https://security-tracker.debian.org/tracker/CVE-2015-0213 https://security-tracker.debian.org/tracker/CVE-2015-0212 https://security-tracker.debian.org/tracker/CVE-2015-0211 https://security-tracker.debian.org/tracker/CVE-2014-9059 https://security-tracker.debian.org/tracker/CVE-2014-7848 https://security-tracker.debian.org/tracker/CVE-2014-7847 https://security-tracker.debian.org/tracker/CVE-2014-7846 https://security-tracker.debian.org/tracker/CVE-2014-7845 https://security-tracker.debian.org/tracker/CVE-2014-7838 https://security-tracker.debian.org/tracker/CVE-2014-7837 https://security-tracker.debian.org/tracker/CVE-2014-7836 https://security-tracker.debian.org/tracker/CVE-2014-7835 https://security-tracker.debian.org/tracker/CVE-2014-7834 https://security-tracker.debian.org/tracker/CVE-2014-7833 https://security-tracker.debian.org/tracker/CVE-2014-7832 https://security-tracker.debian.org/tracker/CVE-2014-7831 https://security-tracker.debian.org/tracker/CVE-2014-7830 https://security-tracker.debian.org/tracker/CVE-2014-4172 https://security-tracker.debian.org/tracker/CVE-2014-3617 https://security-tracker.debian.org/tracker/CVE-2014-3553 https://security-tracker.debian.org/tracker/CVE-2014-3551 https://security-tracker.debian.org/tracker/CVE-2014-3548 https://security-tracker.debian.org/tracker/CVE-2014-3547 https://security-tracker.debian.org/tracker/CVE-2014-3546 https://security-tracker.debian.org/tracker/CVE-2014-3545 https://security-tracker.debian.org/tracker/CVE-2014-3544 https://security-tracker.debian.org/tracker/CVE-2014-3543 https://security-tracker.debian.org/tracker/CVE-2014-3542 https://security-tracker.debian.org/tracker/CVE-2014-3541 https://security-tracker.debian.org/tracker/CVE-2014-2054 https://security-tracker.debian.org/tracker/CVE-2013-3630
--- End Message ---
--- Begin Message ---Source: moodle Source-Version: 2.7.5+dfsg-3 We believe that the bug you reported is fixed in the latest version of moodle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Joost van Baal-Ilić <[email protected]> (supplier of updated moodle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 09 Mar 2015 12:56:41 +0100 Source: moodle Binary: moodle Architecture: source all Version: 2.7.5+dfsg-3 Distribution: unstable Urgency: high Maintainer: Moodle Packaging Team <[email protected]> Changed-By: Joost van Baal-Ilić <[email protected]> Description: moodle - course management system for online learning Closes: 775842 Changes: moodle (2.7.5+dfsg-3) unstable; urgency=high . * debian/README.Debian: add authors and dates, in order to make status more clear. * debian/watch: (trying to) get it working again, with revamped moodle.org website. * debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1. * For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630 will not get fixed: it's not a bug: the attack can only get launched by an administrator, and administrators need to be trusted. See also Debian bug #775842. * Fix CVE-2014-4172 and CVE-2014-2054: - debian/rules, debian/control: don't use CAS client library as shipped with moodle (unchanged phpCAS 1.3.3, see upstream auth/cas/CAS/moodle_readme.txt) but php-cas as shipped with Debian (1.3.3-1 and 1.3.1-4+deb7u1); create symlinks /u/s/m/auth/cas/CAS/CAS.php -> /usr/share/php/CAS.php and /u/s/m/auth/cas/CAS/CAS -> /usr/share/php/CAS/. This fixes CVE-2014-4172. - debian/rules: remove /u/s/m/lib/phpexcel from binary package. Remove lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources. This fixes both a license problem and a security problem: Although the PHP license is generally agreed to be DFSG-free, using it as a license on anything that isn't PHP itself makes the result non-free. PHP OLE is licensed under the PHP license. Older versions of PHP Excel, such as the one shipped with moodle, suffer from security problem CVE-2014-2054. See also Debian Bug #718585 "RFP: php-excel". This closed Debian bug "Multiple security issues"; thanks Moritz Muehlenhoff, Thijs Kinkhorst and Hubert Chathi (Closes: #775842) Checksums-Sha1: b687c53a12b6c0648581d2bfa41974dfa8e143ae 1718 moodle_2.7.5+dfsg-3.dsc 97f9d17e07f7279060b8de5676be58f8e3c18fc9 72217992 moodle_2.7.5+dfsg-3.debian.tar.xz 4b28b782848f22f748eb6234c8cb4354b19e5848 15314338 moodle_2.7.5+dfsg-3_all.deb Checksums-Sha256: 99f4a035f05bfde496a73dda7fd30c1dbf9e3ed200bc2306e991592d92800504 1718 moodle_2.7.5+dfsg-3.dsc fc5f4efddc16e7b5a5af5741b344ed6258500ea50e689e16cf367a9bb5dbf861 72217992 moodle_2.7.5+dfsg-3.debian.tar.xz 98302d577a63889cdbf27e861b326ffb30c9be7f7a08c9382bac4941506176b1 15314338 moodle_2.7.5+dfsg-3_all.deb Files: be7b841d7655a2abd63008859f7d7e80 1718 web optional moodle_2.7.5+dfsg-3.dsc 631feb5c9f088fc68027e15e24c315ea 72217992 web optional moodle_2.7.5+dfsg-3.debian.tar.xz d22ab17eacf0feeef2667cc634a24009 15314338 web optional moodle_2.7.5+dfsg-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU/YtFAAoJEDNRenKl5rDIHCAH/A7HxMN3CgCoIjUzjLMqXybY OhWPXUrsqd3NQgzmdAI3li23lIrqOK9VXCtwFkU0zrWV9thVsO452fWT3/4q8qg/ 8035s9tk+iScmdhNdn/0HEFUPZeNFp14eMXVWoXh3mnJGsO3zDhC62Pv0fCuY9Jf 2dRQKWt0b7LRvgYHNHMN5twxxqLfeMQtFRpnNJiDFnNJWyWPvmapxEqvlCerDx6q AUQ8vB32//40Tmr4jEC2Yas6QC5psL/sPhyOcuOSxuPMUi4+STycr6RQsnisCqiX SytUT97rQZ2k35SI2pzTozrTdBbuAIXDjZ0sStpo93faFIG3m4eFo3URQwa0Ccc= =VAex -----END PGP SIGNATURE-----
--- End Message ---
