1 | moodle (3.0.3+dfsg-0ubuntu1) xenial; urgency=medium |
---|
2 | |
---|
3 | [ Nishanth Aravamudan ] |
---|
4 | * New upstream release, as only 3.0.1+ has PHP7 support |
---|
5 | (LP: #1562172). |
---|
6 | - https://docs.moodle.org/dev/Moodle_and_PHP7 |
---|
7 | - https://tracker.moodle.org/browse/MDL-50565 |
---|
8 | - update d/rules dfsg target. |
---|
9 | - remove mdeploy*.php from d/install. |
---|
10 | - d/lintian-overrides, d/source/lintian-overrides: update embedded |
---|
11 | tinymce, yuilib, jquery versions. |
---|
12 | - d/rules: update override_dh_lintian. |
---|
13 | * d/control: update to PHP7.0 dependencies. |
---|
14 | * d/watch: correct for current releases. |
---|
15 | |
---|
16 | [ Steve Langasek ] |
---|
17 | * Also update lintian overrides for binary packages. |
---|
18 | * Remove some additional license files. |
---|
19 | * Drop some no-longer-applicable lintian overrides. |
---|
20 | |
---|
21 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 01 Apr 2016 22:08:56 -0700 |
---|
22 | |
---|
23 | moodle (2.7.12+dfsg-1) unstable; urgency=high |
---|
24 | |
---|
25 | * New upstream security release, released Jan 11, 2016. Note that the |
---|
26 | upstream 2.7 branch is supported for security fixes only until May 2017 |
---|
27 | (LTS). Security issue fixed: |
---|
28 | - (MSA-16-0001) CVE-2016-0724 Two enrolment-related web services don't check |
---|
29 | course visibility. Thanks Salvatore Bonaccorso. Closes: #811344 |
---|
30 | Other fixes and improvements: |
---|
31 | - MDL-49473 - Logs export contains year |
---|
32 | - MDL-52194 - Fixed Flowplayer not working with insecure configuration of |
---|
33 | request_order |
---|
34 | See https://docs.moodle.org/dev/Moodle_2.7.12_release_notes for more |
---|
35 | details. |
---|
36 | * debian/links, debian/rules: delegate creating symlinks to dh_link, via |
---|
37 | debian/links. This should fix a bug in upgrading: old obsolete symlinks are |
---|
38 | kept. |
---|
39 | * debian/rules: no longer install bennu/COPYRIGHT.txt, dragmath/COPYRIGHT.html |
---|
40 | in usr/share/moodle/lib . |
---|
41 | * debian/control: get rid of Breaks/Replaces moodle-book: moodle-book was only |
---|
42 | shipped with squeeze (current oldoldstable). |
---|
43 | * debian/control: remove Penny Leach <penny /a/ mjollnir 0 org>, Xavier Oswald |
---|
44 | <xoswald@d.o> from Uploaders: I haven't seen any activity from them since |
---|
45 | more than one year. Penny, Xavier: you're very much invited to add yourself |
---|
46 | again. |
---|
47 | * debian/rules: no longer run debhelper in verbose mode. |
---|
48 | |
---|
49 | -- Joost van Baal-Ilić <joostvb@debian.org> Mon, 18 Jan 2016 08:38:29 +0100 |
---|
50 | |
---|
51 | moodle (2.7.11+dfsg-2) unstable; urgency=high |
---|
52 | |
---|
53 | * debian/rules: no longer link to content from |
---|
54 | /usr/share/php-htmlpurifier/library/, but directly to |
---|
55 | /usr/share/php/HTMLPurifier*. This way, the php-htmlpurifier maintainers |
---|
56 | can get rid of the compatibility symlink introduced in Debian Jessie. |
---|
57 | Also: not only link to HTMLPurifier.php and HTMLPurifier.safe-includes.php, |
---|
58 | but also to HTMLPurifier.autoload.php HTMLPurifier.auto.php |
---|
59 | HTMLPurifier.func.php HTMLPurifier.includes.php HTMLPurifier.kses.php and |
---|
60 | HTMLPurifier.path.php. Thanks David Prévot. Closes: #803175 |
---|
61 | * debian/po/es.po: update spanish translation. Thanks |
---|
62 | Javier Fernández-Sanguino. Closes: #773567 |
---|
63 | * debian/control: make installation dependencies more flexible by adding |
---|
64 | php5-fpm as alternative to libapache2-mod-php5 | php5-cgi. Thanks Detlev |
---|
65 | Brodowski. Closes: #807072 |
---|
66 | * debian/rules: replace obsolete "dh binary-indep --before dh_lintian" and |
---|
67 | "dh binary-indep --remaining" by "override_dh_lintian" and "dh_lintian". |
---|
68 | Thanks lintian. |
---|
69 | * debian/changelog: add CVE ID's to entry moodle (2.7.11+dfsg-1). |
---|
70 | * debian/changelog: in entry moodle (2.7.2+dfsg-3), refer to #754565 and |
---|
71 | give credit. |
---|
72 | * debian/changelog: in entry moodle (2.7.2-2), refer to #736800 and give |
---|
73 | credit. |
---|
74 | |
---|
75 | -- Joost van Baal-Ilić <joostvb@debian.org> Mon, 07 Dec 2015 13:52:32 +0100 |
---|
76 | |
---|
77 | moodle (2.7.11+dfsg-1) unstable; urgency=high |
---|
78 | |
---|
79 | * New upstream security release, released Nov 9, 2015. Security issues fixed: |
---|
80 | - (MSA-15-0039) CVE-2015-5335 CSRF in site registration form: Attacker can |
---|
81 | send admin a link to site registration form that will display correct URL |
---|
82 | but, if submitted, will register with another hub. It is possible to trick |
---|
83 | a site/admin into sending aggregate stats to an arbitrary domain. |
---|
84 | Reported by Andrew Davis; Upstream patch: |
---|
85 | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091 |
---|
86 | - (MSA-15-0040) CVE-2015-5336 Student XSS in survey: Standard survey module |
---|
87 | is vulnerable to XSS attack by students who fill the survey. Reported by |
---|
88 | Hugh Davenport; Upstream patch: MDL-49940 |
---|
89 | - (MSA-15-0041) CVE-2015-5337 XSS in flash video player: XSS vulnerability |
---|
90 | caused by Flowplayer flash video player has been addressed. Reported by |
---|
91 | Andrew Nicols; MDL-48085 |
---|
92 | - (MSA-15-0042) CVE-2015-5338 CSRF in lesson login form: Password-protected |
---|
93 | lesson modules are subject to CSRF vulnerability. Reported by Ankit |
---|
94 | Agarwal; MDL-48109. |
---|
95 | - (MSA-15-0043) CVE-2015-5339 Web service core_enrol_get_enrolled_users does |
---|
96 | not respect course group mode: Through WS core_enrol_get_enrolled_users it |
---|
97 | is possible to retrieve list of course participants who would not be |
---|
98 | visible when using web site. Reported by Daniel Palou; MDL-51861 |
---|
99 | - (MSA-15-0044) CVE-2015-5340 Capability to view available badges is not |
---|
100 | respected: Logged in users who do not have capability 'View available |
---|
101 | badges without earning them' can still access the full list of badges. |
---|
102 | Capability moodle/badges:viewbadges is not respected. Reported by Marina |
---|
103 | Glancy; MDL-51684 |
---|
104 | - (MSA-15-0045) CVE-2015-5341 SCORM module allows to bypass access |
---|
105 | restrictions based on date: Incorrect and missing handling of availability |
---|
106 | dates in mod_scorm let users to view the SCORM contents bypassing the date |
---|
107 | restriction. Reported by Juan Leyva; MDL-50837 |
---|
108 | - (MSA-15-0046) CVE-2015-5342 Choice module closing date can be bypassed: |
---|
109 | Users can mock URL to delete or submit new responses after the choice |
---|
110 | module was closed. Reported by Juan Leyva; MDL-51569 |
---|
111 | See https://bugzilla.redhat.com/show_bug.cgi?id=1288158 for details. Thanks |
---|
112 | Adam Mariš @ Red Hat. See also |
---|
113 | https://moodle.org/mod/forum/discuss.php?d=322852 , published Nov 9, 2015. |
---|
114 | Other Fixes and improvements: |
---|
115 | - MDL-51083 - Fixed undesired browser password autofilling in several forms |
---|
116 | (majority of forms were fixed in MDL-45772 in previous release) |
---|
117 | - MDL-51190 - Fixed MS Edge locking up when viewing embedded PDF |
---|
118 | See https://docs.moodle.org/dev/Moodle_2.7.11_release_notes for more |
---|
119 | details. |
---|
120 | * debian/source/lintian-overrides: add some more incorrectly flagged |
---|
121 | javascript files. See lintian bug 802028 (and 799861). |
---|
122 | |
---|
123 | -- Joost van Baal-Ilić <joostvb@debian.org> Fri, 04 Dec 2015 15:12:23 +0100 |
---|
124 | |
---|
125 | moodle (2.7.10+dfsg-1) unstable; urgency=high |
---|
126 | |
---|
127 | * New upstream security release, released Sept 21, 2015. Security issues |
---|
128 | fixed: |
---|
129 | - MSA-15-0030: Students can re-attempt answering questions in the lesson, |
---|
130 | Reported by Eric Eakin, MDL-50516, CVE-2015-5264 |
---|
131 | - MSA-15-0031: Teacher in forum can still post to "all participants" and |
---|
132 | groups they are not members of, Reported by David Scotson, MDL-50576, |
---|
133 | CVE-2015-5272 |
---|
134 | - MSA-15-0032: Users can delete files uploaded by other users in wiki, |
---|
135 | Reported by John Provasnik, MDL-48371, CVE-2015-5265 |
---|
136 | - MSA-15-0033: Meta course synchronisation enrols suspended students as |
---|
137 | managers for a short period of time, Reported by Brian Winstead, |
---|
138 | MDL-50744, CVE-2015-5266 |
---|
139 | - MSA-15-0034: Vulnerability in password recovery mechanism, Reported by |
---|
140 | Vincent Herbulot (@us3r777), MDL-50860, CVE-2015-5267 |
---|
141 | - MSA-15-0035: Rating component does not check separate groups, Reported by |
---|
142 | Juan Leyva, MDL-50173, CVE-2015-5268 |
---|
143 | - MSA-15-0036: XSS in grouping description, Reported by Marina Glancy, |
---|
144 | MDL-50709, CVE-2015-5269 |
---|
145 | See the 21 Sep 2015 post from Marina Glancy at |
---|
146 | http://www.openwall.com/lists/oss-security/2015/09/21/1 for more details on |
---|
147 | these fixed security issues. Some other fixes and improvements: MDL-51050 |
---|
148 | - Forms such as "Create new group" are no longer populated with passwords |
---|
149 | and usernames by the browsers; MDL-42670 - Recent activity block no longer |
---|
150 | shows student name when assignment blind marking is on. See |
---|
151 | https://docs.moodle.org/dev/Moodle_2.7.10_release_notes for more details. |
---|
152 | Thanks Salvatore Bonaccorso and Thijs Kinkhorst for forwarding the news. |
---|
153 | Closes: #799634 |
---|
154 | * debian/source/lintian-overrides: add comment/comment.js, some |
---|
155 | lib/yuilib/3.15.0/**/*-debug.js and |
---|
156 | lib/yuilib/2in3/2.9.0/build/yui2-*/*-debug.js files to list of false |
---|
157 | positives "source-is-missing". Bug #799861 reported against lintian. |
---|
158 | * debian/copyright: clarify license situation of |
---|
159 | lib/pear/HTML/QuickForm/DHTMLRulesTableless.php and |
---|
160 | lib/pear/HTML/QuickForm/Renderer/Tableless.php. Thanks |
---|
161 | Ondřej Surý and Paul Tagliamonte. Closes: #752615 |
---|
162 | * debian/control: no longer depend upon libphp-pclzip. This dependency was |
---|
163 | actually no longer needed since 2.7.5+dfsg-3, when phpexcel got removed. |
---|
164 | Thanks David Prévot. Closes: #749609 |
---|
165 | * debian/changelog: fix entry for 2.7.5+dfsg-3 to properly close 746594. |
---|
166 | See also https://tracker.moodle.org/browse/MDL-45395 . Thanks Dan Poltawski |
---|
167 | e.a. |
---|
168 | |
---|
169 | -- Joost van Baal-Ilić <joostvb@debian.org> Mon, 21 Sep 2015 09:52:15 +0200 |
---|
170 | |
---|
171 | moodle (2.7.9+dfsg-1) unstable; urgency=high |
---|
172 | |
---|
173 | * New upstream security release, released July 6, 2015. Security issues fixed: |
---|
174 | - MSA-15-0026 Possible phishing when redirecting to external site using |
---|
175 | referer header, Reported by Totara, MDL-50688, CVE-2015-3272 |
---|
176 | - MSA-15-0028 Possible XSS through custom text profile fields in Web |
---|
177 | Services, Reported by Marina Glancy, MDL-50130, CVE-2015-3274 |
---|
178 | - MSA-15-0029 Javascript injection in SCORM module, Reported by Martin |
---|
179 | Greenaway, MDL-50614, CVE-2015-3275 |
---|
180 | See http://www.openwall.com/lists/oss-security/2015/07/13/2 for more details |
---|
181 | on these fixed security issues. Some other fixes and improvements: |
---|
182 | MDL-50380 - Fixed missing parameter error when editing files in wiki; |
---|
183 | MDL-50177 - Upgrading assignments in 2.7/2.8 works even when conditional |
---|
184 | access is used; MDL-50275 - Added missing version bump after risk bitmap |
---|
185 | change in MDL-49941. See the Moodle 2.7.9 release notes at |
---|
186 | https://docs.moodle.org/dev/Moodle_2.7.9_release_notes for more details. |
---|
187 | Thanks Salvatore Bonaccorso. Closes: #792242 |
---|
188 | * debian/changelog: fix line length: max 80 columns. |
---|
189 | |
---|
190 | -- Joost van Baal-Ilić <joostvb@debian.org> Thu, 16 Jul 2015 15:44:09 +0200 |
---|
191 | |
---|
192 | moodle (2.7.8+dfsg-1) unstable; urgency=high |
---|
193 | |
---|
194 | * New upstream security release, released 11 May 2015. Security issues |
---|
195 | fixed: |
---|
196 | - MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare |
---|
197 | that, Reported by Hugh Davenport, MDL-49941, CVE-2015-3174 |
---|
198 | - MSA-15-0019: Possible phishing when redirecting to external site using |
---|
199 | referer header, Reported by Dingjie Yang, MDL-49179, CVE-2015-3175 |
---|
200 | - MSA-15-0020: User fullname disclosure through account confirmation link, |
---|
201 | Reported by: Federico Kirschbaum, MDL-50099, CVE-2015-3176 |
---|
202 | - MSA-15-0022: Potential XSS risk when returning text entered by student |
---|
203 | from Web Services, Reported by Eloy Lafuente, MDL-49718, CVE-2015-3178 |
---|
204 | - MSA-15-0023: Suspended user is able to login when confirming email, |
---|
205 | Reported by Marina Glancy, MDL-50090, CVE-2015-3179 |
---|
206 | - MSA-15-0024: User with suspended enrolment can see sections in the |
---|
207 | navigation tree, Reported by Alex Mitin, MDL-49788, CVE-2015-3180 |
---|
208 | - MSA-15-0025: Capability to manage own files is not respected in Web |
---|
209 | Services, Reported by Juan Leyva, MDL-49994, CVE-2015-3181 |
---|
210 | See http://www.openwall.com/lists/oss-security/2015/05/18/1 for more details |
---|
211 | on these fixed security issues. Some other fixes: MDL-48187 - Fixed problem |
---|
212 | with new items automatically marked as extra credit in SWM category in |
---|
213 | Gradebook; MDL-42449 - Grade category is preserved when duplicating a |
---|
214 | module; MDL-46746, MDL-47003, MDL-47002 - Atto editor HTML cleaning is less |
---|
215 | aggressive and more aware of special tags, especially noticeable when |
---|
216 | pasting text from Word. See the Moodle 2.7.8 release notes at |
---|
217 | https://docs.moodle.org/dev/Moodle_2.7.8_release_notes for more details. |
---|
218 | Thanks Salvatore Bonaccorso. Closes: #785591 |
---|
219 | * debian/watch: fix syntax. |
---|
220 | |
---|
221 | -- Joost van Baal-Ilić <joostvb@debian.org> Fri, 22 May 2015 10:34:59 +0200 |
---|
222 | |
---|
223 | moodle (2.7.7+dfsg-2) unstable; urgency=high |
---|
224 | |
---|
225 | * debian/install: now installs scripts mdeploy.php and mdeploytest.php. |
---|
226 | * debian/install: now installs the directory "availability", thanks Maarten |
---|
227 | Horden and Oscar Diaz (Closes: #778422). |
---|
228 | * debian/changelog: Add some extra information on issues fixed in entry |
---|
229 | moodle (2.7.7+dfsg-1)), thanks Marina Glancy and Thijs Kinkhorst. |
---|
230 | * debian/changelog: Add some extra information on CVE-2013-3630 in entry |
---|
231 | moodle (2.7.5+dfsg-3), thanks Marina Glancy. |
---|
232 | |
---|
233 | -- Joost van Baal-Ilić <joostvb@debian.org> Tue, 17 Mar 2015 14:20:39 +0100 |
---|
234 | |
---|
235 | moodle (2.7.7+dfsg-1) unstable; urgency=high |
---|
236 | |
---|
237 | * New upstream security release, released 10 March 2015. (Moodle 2.7.6 was |
---|
238 | released 9 March 2015). Issues fixed: |
---|
239 | - MSA-15-0010: Personal contacts and number of unread messages can be |
---|
240 | revealed, Reported by Barry Oosthuizen, MDL-49204, CVE-2015-2266 |
---|
241 | - MSA-15-0011: Authentication in mdeploy can be bypassed. Reported by |
---|
242 | Frédéric Massart, MDL-49087 CVE-2015-2267 |
---|
243 | - MSA-15-0012: ReDoS Possible with Convert links to URLs filter. Reported by |
---|
244 | Rob, MDL-38466, CVE-2015-2268 |
---|
245 | - MSA-15-0013: Block title not properly escaped and may cause HTML |
---|
246 | injection. Reported by Gjoko Krstic, MDL-49144, CVE-2015-2269 |
---|
247 | - MSA-15-0014: Potential information disclosure for the inaccessible |
---|
248 | courses. Reported by Sam Hemelryk, MDL-48804, CVE-2015-2270 |
---|
249 | - MSA-15-0015: User without proper permission is able to mark the tag as |
---|
250 | inappropriate, Reported by Frédéric Massart, MDL-49084, CVE-2015-2271 |
---|
251 | - MSA-15-0016: Web services token can be created for user with temporary |
---|
252 | password. Reported by Juan Leyva, MDL-48691, CVE-2015-2272 |
---|
253 | - MSA-15-0017: XSS in quiz statistics report. Reported by Tim Hunt, |
---|
254 | MDL-49364, CVE-2015-2273 |
---|
255 | * debian/changelog: enhance 2.7.2-1 entry: add note on upstream long term |
---|
256 | support of this 2.7 branch. |
---|
257 | * debian/TODO: add some build instructions. |
---|
258 | * debian/control: more strict php-cas dependency: known to break with |
---|
259 | 1.3.1-4+deb7u1, known to work with 1.3.3-1. |
---|
260 | |
---|
261 | -- Joost van Baal-Ilić <joostvb@debian.org> Tue, 10 Mar 2015 14:12:49 +0100 |
---|
262 | |
---|
263 | moodle (2.7.5+dfsg-3) unstable; urgency=high |
---|
264 | |
---|
265 | * debian/README.Debian: add authors and dates, in order to make status more |
---|
266 | clear. |
---|
267 | * debian/watch: (trying to) get it working again, with revamped moodle.org |
---|
268 | website. |
---|
269 | * debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1. |
---|
270 | * For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630 |
---|
271 | will not get fixed: it's not a bug: the attack can only get launched by an |
---|
272 | administrator, and administrators need to be trusted. Sites that provide |
---|
273 | shared hosting and want to prevent the Moodle admin user from being able to |
---|
274 | set executable paths can also use: "$CFG->preventexecpath = true;". See |
---|
275 | also Debian bug #775842 and Moodle issue MDL-41449. |
---|
276 | * Fix CVE-2014-4172 and CVE-2014-2054: |
---|
277 | - debian/rules, debian/control: don't use CAS client library as shipped with |
---|
278 | moodle (unchanged phpCAS 1.3.3, see upstream |
---|
279 | auth/cas/CAS/moodle_readme.txt) but php-cas as shipped with Debian |
---|
280 | (1.3.3-1 and 1.3.1-4+deb7u1); create symlinks /u/s/m/auth/cas/CAS/CAS.php |
---|
281 | -> /usr/share/php/CAS.php and /u/s/m/auth/cas/CAS/CAS -> |
---|
282 | /usr/share/php/CAS/. This fixes CVE-2014-4172. |
---|
283 | - debian/rules: remove /u/s/m/lib/phpexcel from binary package. Remove |
---|
284 | lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources. This fixes both |
---|
285 | a license problem and a security problem: Although the PHP license is |
---|
286 | generally agreed to be DFSG-free, using it as a license on anything that |
---|
287 | isn't PHP itself makes the result non-free. PHP OLE is licensed under the |
---|
288 | PHP license. Older versions of PHP Excel, such as the one shipped with |
---|
289 | moodle, suffer from security problem CVE-2014-2054. See also Debian Bug |
---|
290 | #718585 "RFP: php-excel". (Closes: #746594) |
---|
291 | This closed Debian bug "Multiple security issues"; thanks Moritz |
---|
292 | Muehlenhoff, Thijs Kinkhorst and Hubert Chathi (Closes: #775842) |
---|
293 | |
---|
294 | -- Joost van Baal-Ilić <joostvb@debian.org> Mon, 09 Mar 2015 12:56:41 +0100 |
---|
295 | |
---|
296 | moodle (2.7.5+dfsg-2) unstable; urgency=high |
---|
297 | |
---|
298 | * debian/README.Debian: add notes on upgrading. |
---|
299 | * debian/TODO: added. |
---|
300 | * debian/changelog: add CVE-number to previous entry. |
---|
301 | |
---|
302 | -- Joost van Baal-Ilić <joostvb@debian.org> Tue, 10 Feb 2015 14:27:09 +0000 |
---|
303 | |
---|
304 | moodle (2.7.5+dfsg-1) unstable; urgency=high |
---|
305 | |
---|
306 | * New upstream security release: |
---|
307 | Moodle 2.7.5 release notes, Release date: 2 February, 2015: "A number of |
---|
308 | security related issues were resolved." "Here is the |
---|
309 | full list of fixed issues in 2.7.5: |
---|
310 | https://tracker.moodle.org/issues/?jql=project+%3D+mdl+AND+resolution+%3D+fixed+AND+fixVersion+in+%28%222.7.5%22%29+ORDER+BY+priority+DESC" |
---|
311 | Fixes include: "Preauthenticated Local File Disclosure", as reported |
---|
312 | by Emiel Florijn, MDL-48980 and MDL-48990, i.e. CVE-2015-1493 (also |
---|
313 | aliased as CVE-2015-0246). See also |
---|
314 | https://docs.moodle.org/dev/Moodle_2.7.5_release_notes and |
---|
315 | https://moodle.org/mod/forum/discuss.php?d=279956 , published feb 10 |
---|
316 | 2015. |
---|
317 | |
---|
318 | * For the record: Security issues fixed in upstream Moodle 2.7.3 and 2.7.4: |
---|
319 | CVE-2015-0218 (see |
---|
320 | https://security-tracker.debian.org/tracker/CVE-2015-0218), |
---|
321 | CVE-2015-0217, CVE-2015-0216, CVE-2015-0215, CVE-2015-0214, CVE-2015-0213, |
---|
322 | CVE-2015-0212, CVE-2015-0211, CVE-2014-9059, CVE-2014-7848, CVE-2014-7847, |
---|
323 | CVE-2014-7846, CVE-2014-7845, CVE-2014-7838, CVE-2014-7837, CVE-2014-7836, |
---|
324 | CVE-2014-7835, CVE-2014-7834, CVE-2014-7833, CVE-2014-7832, CVE-2014-7831, |
---|
325 | CVE-2014-7830, CVE-2014-3617, CVE-2014-3553, CVE-2014-3551, CVE-2014-3548, |
---|
326 | CVE-2014-3547, CVE-2014-3546, CVE-2014-3545, CVE-2014-3544, CVE-2014-3543, |
---|
327 | CVE-2014-3542, CVE-2014-3541. |
---|
328 | |
---|
329 | -- Joost van Baal-Ilić <joostvb@debian.org> Mon, 02 Feb 2015 08:38:14 +0000 |
---|
330 | |
---|
331 | moodle (2.7.2+dfsg-3) experimental; urgency=medium |
---|
332 | |
---|
333 | * Remove lib/tcpdf/include/sRGB.icc from upstream source since it does |
---|
334 | not allow modification (usually known as |
---|
335 | sRGB_IEC61966-2-1_black_scaled.icc). FWIW: this file was not installed |
---|
336 | by the Moodle 2.6.3 Debian package. Thanks bastien ROUCARIES, Riley Baird |
---|
337 | and Tomasz Muras. Closes: #754565 |
---|
338 | * Remove lib/flowplayer/flowplayer.audio-3.2.11.swf since sources missing. |
---|
339 | * debian/rules: add preliminary target dfsg, with some comments. |
---|
340 | |
---|
341 | -- Joost van Baal-Ilić <joostvb@debian.org> Fri, 30 Jan 2015 12:48:55 +0000 |
---|
342 | |
---|
343 | moodle (2.7.2-2) experimental; urgency=medium |
---|
344 | |
---|
345 | * debian/control: remove Thijs Kinkhorst from Uploaders, on his request. |
---|
346 | Thanks Thijs! |
---|
347 | * debian/source/include-binaries, debian/missing-sources: Added missing |
---|
348 | sources for |
---|
349 | - the Flowplayer video player from Flowplayer Ltd |
---|
350 | (http://flash.flowplayer.org/): flash-release_3_2_18.tar.gz for |
---|
351 | flowplayer-3.2.18.swf, flash-release_3_2_16.tar.gz for |
---|
352 | lib/flowplayer/flowplayer.controls-3.2.16.swf. |
---|
353 | Downloaded from https://github.com/flowplayer/flash/releases. |
---|
354 | See also #736800 "Sourceless flash file" and |
---|
355 | https://tracker.moodle.org/browse/MDL-44093. Thanks bastien ROUCARIES, |
---|
356 | Robert Bihlmeyer and Thijs Kinkhorst. Closes: #736800 |
---|
357 | - filter/tex/mimetex.linux and mimetex.freebsd |
---|
358 | NB: flowplayer-3.2.18.swf, flowplayer.controls-3.2.16.swf, mimetex.linux |
---|
359 | and mimetex.freebsd are not shipped with the binary Debian package. |
---|
360 | |
---|
361 | -- Joost van Baal-Ilić <joostvb@debian.org> Mon, 03 Nov 2014 15:03:51 +0100 |
---|
362 | |
---|
363 | moodle (2.7.2-1) unstable; urgency=medium |
---|
364 | |
---|
365 | * This is a semi-public release. |
---|
366 | * New upstream release; new upstream 2.7 branch. About this branch, upstream |
---|
367 | states, at https://docs.moodle.org/dev/Releases#Moodle_2.7 : "Bug fixes for |
---|
368 | general core bugs in 2.7.x will end 11 May 2015 (12 months). Bug fixes for |
---|
369 | serious security issues in 2.7.x will end 8 May 2017 (36 months)." |
---|
370 | * This upstream release fixes security issues: |
---|
371 | - MSA-14-0014 Cross-site request forgery possible in Assignment |
---|
372 | [CVE-2014-0213] |
---|
373 | - MSA-14-0015 Web service token expiry issue for MoodleMobile |
---|
374 | [CVE-2014-0214] |
---|
375 | - MSA-14-0016 Anonymous student identity revealed in Assignment |
---|
376 | [CVE-2014-0215] |
---|
377 | - MSA-14-0017 File access issue in HTML block [CVE-2014-0216] |
---|
378 | - MSA-14-0018 Information leak in courses [CVE-2014-0217] |
---|
379 | - MSA-14-0019 Reflected XSS in URL downloader repository [CVE-2014-0218] |
---|
380 | (See https://docs.moodle.org/dev/Moodle_2.7_release_notes#Security_issues) |
---|
381 | * debian/rules: remove extra license file |
---|
382 | lib/editor/atto/yui/src/rangy/js/license.txt. |
---|
383 | * debian/copyright: add MIT license, for Rangy library for the Atto editor. |
---|
384 | * debian/moodle.lintian-overrides: add embedded-php-library |
---|
385 | lib/markdown/Markdown.php: we can't use Debian's libmarkdown-php due to |
---|
386 | incompatibilities. |
---|
387 | * debian/moodle.lintian-overrides: add embedded-php-library |
---|
388 | lib/simplepie/library/SimplePie.php: we can't use Debian's libphp-simplepie |
---|
389 | due to incompatibilities. |
---|
390 | * debian/moodle.lintian-overrides: add embedded-php-library |
---|
391 | lib/yuilib/3.15.0/yui/yui-min.js: we can't use Debian's libjs-yui |
---|
392 | due to incompatibilities. |
---|
393 | * debian/moodle.lintian-overrides, debian/source/lintian-overrides: change |
---|
394 | lines like "moodle: embedded-javascript-library |
---|
395 | lib/editor/tinymce/tiny_mce/3.5.8/tiny_mce.js" in "moodle source: |
---|
396 | source-is-missing |
---|
397 | lib/editor/tinymce/tiny_mce/3.5.10/plugins/advimage/langs/en_dlg.js": |
---|
398 | Moodle _does_ ship (modified) sources. |
---|
399 | * debian/rules, debian/control: don't use TCPDF library as shipped with |
---|
400 | moodle (tcpdf_php5 TCPDF 5.9.133 MDL-29283, see |
---|
401 | lib/tcpdf/readme_moodle.txt), but php-tcpdf as shipped with |
---|
402 | Debian (6.0.048+dfsg-2~bpo70+1 in wheezy-backports, 6.0.093+dfsg-1 in |
---|
403 | jessie): create symlink /usr/share/moodle/lib/tcpdf -> /usr/share/php/tcpdf. |
---|
404 | NB: the file lib/tcpdf/include/sRGB.icc does not allow modification. |
---|
405 | * debian/source/lintian-overrides: Moodle _does_ ship source of files |
---|
406 | lib/yuilib/3.15.0/datatype-date-format/lang/datatype-date-format* and other |
---|
407 | 3.15.0 and 2in3/2.9.0/build files. |
---|
408 | * debian/source/lintian-overrides: Moodle _does_ ship source of file |
---|
409 | AMFTester.swf in amf/testclient/AMFTester.mxml. |
---|
410 | * debian/rules: do not install the Flowplayer video player from Flowplayer |
---|
411 | Ltd (http://flash.flowplayer.org/): source is missing. |
---|
412 | * debian/docs: remove tags.txt: only relevant for developers. |
---|
413 | * debian/control: add myself to uploaders. |
---|
414 | * debian/control: checked for policy 3.9.6, no changes necessary. |
---|
415 | |
---|
416 | -- Joost van Baal-Ilić <joostvb@debian.org> Tue, 28 Oct 2014 09:44:46 +0100 |
---|
417 | |
---|
418 | moodle (2.6.3-1) unstable; urgency=medium |
---|
419 | |
---|
420 | * New upstream release. |
---|
421 | |
---|
422 | -- Thijs Kinkhorst <thijs@debian.org> Mon, 12 May 2014 16:10:38 +0200 |
---|
423 | |
---|
424 | moodle (2.6.2-1) unstable; urgency=medium |
---|
425 | |
---|
426 | * New upstream release. |
---|
427 | |
---|
428 | -- Thijs Kinkhorst <thijs@debian.org> Wed, 12 Mar 2014 18:17:07 +0100 |
---|
429 | |
---|
430 | moodle (2.6.1-1) unstable; urgency=low |
---|
431 | |
---|
432 | * New upstream release. |
---|
433 | * Do install tcpdf lib, which is now required by core Moodle. |
---|
434 | |
---|
435 | -- Thijs Kinkhorst <thijs@debian.org> Wed, 12 Feb 2014 15:49:12 +0100 |
---|
436 | |
---|
437 | moodle (2.5.4-1) unstable; urgency=medium |
---|
438 | |
---|
439 | * New upstream release, fixing security issues: |
---|
440 | - MSA-14-0001 Config passwords visibility issue [CVE-2014-0008] |
---|
441 | - MSA-14-0002 Group constraints lacking in "login as" [CVE-2014-0009] |
---|
442 | - MSA-14-0003 CSRF vulnerability in profile fields [CVE-2014-0010] |
---|
443 | * Move /var/lib/moodle directory into package. |
---|
444 | * Revert back to bundled yui3. Unfortunately, version in Debian and |
---|
445 | of upstream are not compatible (closes: #735312). |
---|
446 | |
---|
447 | -- Thijs Kinkhorst <thijs@debian.org> Tue, 21 Jan 2014 13:40:52 +0100 |
---|
448 | |
---|
449 | moodle (2.5.3-3) unstable; urgency=medium |
---|
450 | |
---|
451 | * Drop unused libjs-yui dependency (closes: #730104). |
---|
452 | * Replace bundled yui3 with dependency on packaged libjs-yui3-min. |
---|
453 | * Add virtual-mysql-{server,client} dependency alternatives |
---|
454 | (closes: #732895). |
---|
455 | * Change owner of config.php from www-data to root. |
---|
456 | * Checked for policy 3.9.5, no changes necessary. |
---|
457 | |
---|
458 | -- Thijs Kinkhorst <thijs@debian.org> Fri, 03 Jan 2014 11:44:05 +0100 |
---|
459 | |
---|
460 | moodle (2.5.3-2) unstable; urgency=medium |
---|
461 | |
---|
462 | * Fix syntax error in generated config.php. |
---|
463 | |
---|
464 | -- Thijs Kinkhorst <thijs@debian.org> Fri, 29 Nov 2013 09:17:29 +0100 |
---|
465 | |
---|
466 | moodle (2.5.3-1) unstable; urgency=low |
---|
467 | |
---|
468 | * New upstream version: 2.5.3. |
---|
469 | - Incorporates CAS security patch. |
---|
470 | - Fixes security issues CVE-2013-4522, CVE-2013-4523, |
---|
471 | CVE-2013-4524, CVE-2013-4525, CVE-2013-6780. |
---|
472 | |
---|
473 | -- Thijs Kinkhorst <thijs@debian.org> Fri, 22 Nov 2013 14:09:51 +0100 |
---|
474 | |
---|
475 | moodle (2.5.2-1) unstable; urgency=medium |
---|
476 | |
---|
477 | * New upstream version: 2.5.2. |
---|
478 | - Incorporates S3 security patch. |
---|
479 | |
---|
480 | -- Thijs Kinkhorst <thijs@debian.org> Mon, 09 Sep 2013 15:22:35 +0200 |
---|
481 | |
---|
482 | moodle (2.5.1-2) unstable; urgency=low |
---|
483 | |
---|
484 | * Update debconf translation for |
---|
485 | Swedish, thanks Martin Bagge (closes: #717323); |
---|
486 | Italian, thanks Beatrice Torracca (closes: #717162); |
---|
487 | French, thanks Julien Patriarca (closes: #717548); |
---|
488 | Czech, thanks Michal Simunek (closes: #717550). |
---|
489 | * Add Breaks/Replaces moodle-book; integrated since Moodle 2.3. |
---|
490 | |
---|
491 | -- Thijs Kinkhorst <thijs@debian.org> Sun, 04 Aug 2013 17:30:38 +0200 |
---|
492 | |
---|
493 | moodle (2.5.1-1) unstable; urgency=low |
---|
494 | |
---|
495 | * New upstream version: 2.5.1. |
---|
496 | - Fixes security issues: |
---|
497 | CVE-2013-2242 CVE-2013-2243 CVE-2013-2244 CVE-2013-2245 |
---|
498 | CVE-2013-2246 |
---|
499 | * Depend on apache2 instead of obsolete apache2-mpm-prefork. |
---|
500 | * Use packaged libphp-phpmailer (closes: #429339), adodb, |
---|
501 | HTMLPurifier, PclZip. |
---|
502 | * Update debconf translations, thanks Salvatore Merone, Pietro Tollot, |
---|
503 | Joe Hansen, Yuri Kozlov, Holger Wansing, Américo Monteiro, |
---|
504 | Adriano Rafael Gomes, victory, Michał Kułach. |
---|
505 | (closes: #716972, #716986, #717080, #717108, #717278) |
---|
506 | |
---|
507 | -- Thijs Kinkhorst <thijs@debian.org> Fri, 19 Jul 2013 08:52:46 +0200 |
---|
508 | |
---|
509 | moodle (2.5-1) unstable; urgency=low |
---|
510 | |
---|
511 | * New upstream version: 2.5. |
---|
512 | - Removed problematically licenced JSON code (closes: #692626). |
---|
513 | - Fixes security issues: |
---|
514 | CVE-2012-3363, CVE-2012-6098, CVE-2012-6099, CVE-2012-6100, |
---|
515 | CVE-2012-6101, CVE-2012-6103, CVE-2012-6104, CVE-2012-6105, |
---|
516 | CVE-2012-6112, CVE-2013-1829, CVE-2013-1830, CVE-2013-1831, |
---|
517 | CVE-2013-1832, CVE-2013-1833, CVE-2013-1834, CVE-2013-1835, |
---|
518 | CVE-2013-1836, CVE-2013-2080, CVE-2013-2081, CVE-2013-2082, |
---|
519 | CVE-2013-2083 (closes: #702387, #703870). |
---|
520 | * FLV player removed, no need to repack source tarball. |
---|
521 | * Checked for policy 3.9.4, no changes. Updated to debhelper 8. |
---|
522 | * Use xz compression for binary packages. |
---|
523 | |
---|
524 | -- Thijs Kinkhorst <thijs@debian.org> Fri, 28 Jun 2013 15:35:53 +0200 |
---|
525 | |
---|
526 | moodle (2.2.7.dfsg-1) unstable; urgency=low |
---|
527 | |
---|
528 | * New upstream version: 2.2.7+ (Build: 20130125) |
---|
529 | |
---|
530 | * Fix possible security issue for curl in 3rd party libraries: |
---|
531 | * phpCAS (CVE-2012-5583) |
---|
532 | * amazon-s3-php-class (CVE-2012-6087) |
---|
533 | |
---|
534 | -- Tomasz Muras <nexor1984@gmail.com> Mon, 28 Jan 2013 17:43:26 +0100 |
---|
535 | |
---|
536 | moodle (2.2.6.dfsg-1) unstable; urgency=low |
---|
537 | |
---|
538 | * New upstream version: 2.2.6 (Build: 20121112) |
---|
539 | |
---|
540 | -- Tomasz Muras <nexor1984@gmail.com> Thu, 15 Nov 2012 21:50:13 +0100 |
---|
541 | |
---|
542 | moodle (2.2.3.dfsg-2.6) unstable; urgency=low |
---|
543 | |
---|
544 | * Non-maintainer upload. |
---|
545 | |
---|
546 | * Backport multiple security issues from upstream's MOODLE_22_STABLE |
---|
547 | branch. |
---|
548 | - MSA-12-0057: MDL-29872 - Access issue through repository |
---|
549 | Fixes CVE-2012-5471 |
---|
550 | - MSA-12-0058: MDL-32785 - Possible form data manipulation issue |
---|
551 | Fixes CVE-2012-5472 |
---|
552 | - MSA-12-0059: MDL-34448 - Information leak in Database activity module |
---|
553 | Fixes CVE-2012-5473 |
---|
554 | - MSA-12-0061: MDL-33791 - Remote code execution through Portfolio API |
---|
555 | Fixes CVE-2012-5479 |
---|
556 | - MSA-12-0062: MDL-35558 - Information leak in Database activity module |
---|
557 | Fixes CVE-2012-5480 |
---|
558 | |
---|
559 | -- Didier Raboud <odyx@debian.org> Mon, 12 Nov 2012 10:00:00 +0100 |
---|
560 | |
---|
561 | moodle (2.2.3.dfsg-2.5) unstable; urgency=low |
---|
562 | |
---|
563 | * Non-maintainer brown-paper bag upload. |
---|
564 | |
---|
565 | * Fix the preinst shell syntax to properly drop the left-over symlink |
---|
566 | in favour of the shipped directory. (Closes: #689506 fo real now) |
---|
567 | |
---|
568 | -- Didier Raboud <odyx@debian.org> Wed, 31 Oct 2012 08:25:55 +0100 |
---|
569 | |
---|
570 | moodle (2.2.3.dfsg-2.4) unstable; urgency=low |
---|
571 | |
---|
572 | * Non-maintainer upload. |
---|
573 | |
---|
574 | * Drop a left-over symlink in favour of the shipped directory. |
---|
575 | (Closes: #689506) |
---|
576 | |
---|
577 | -- Didier Raboud <odyx@debian.org> Sun, 28 Oct 2012 15:01:09 +0100 |
---|
578 | |
---|
579 | moodle (2.2.3.dfsg-2.3) unstable; urgency=low |
---|
580 | |
---|
581 | * Non-maintainer upload. |
---|
582 | |
---|
583 | * Backport multiple security issues from upstream's MOODLE_22_STABLE |
---|
584 | branch. (Closes: #687924) |
---|
585 | - MSA-12-0051: MDL-30792 - File upload size constraint issue |
---|
586 | Fixes CVE-2012-4400 |
---|
587 | - MSA-12-0052: MDL-28207 - Course topics permission issue |
---|
588 | Fixes CVE-2012-4401 |
---|
589 | - MSA-12-0053: MDL-34585 - Blog file access issue |
---|
590 | Fixes CVE-2012-4407 |
---|
591 | - MSA-12-0054: MDL-34519 - Course reset permission issue |
---|
592 | Fixes CVE-2012-4408 |
---|
593 | - MSA-12-0055: MDL-34368 - Web service access token issue |
---|
594 | Fixes CVE-2012-4402 |
---|
595 | |
---|
596 | -- Didier Raboud <odyx@debian.org> Fri, 28 Sep 2012 12:52:21 +0200 |
---|
597 | |
---|
598 | moodle (2.2.3.dfsg-2.2) unstable; urgency=low |
---|
599 | |
---|
600 | * Non-maintainer upload. |
---|
601 | |
---|
602 | * Backport multiple security issues from upstream's MOODLE_22_STABLE |
---|
603 | branch. (Closes: #682203) |
---|
604 | - MDL-31692 mod_lti - ensure that various mforms are used properly |
---|
605 | Fixes CVE-2012-3389 |
---|
606 | - MDL-33916 Ensure that capabilities are checked for cached user |
---|
607 | enrolments |
---|
608 | Fixes CVE-2012-3388 |
---|
609 | |
---|
610 | -- Didier Raboud <odyx@debian.org> Mon, 23 Jul 2012 19:13:56 +0200 |
---|
611 | |
---|
612 | moodle (2.2.3.dfsg-2.1) unstable; urgency=low |
---|
613 | |
---|
614 | * Non-maintainer upload. |
---|
615 | |
---|
616 | * Backport multiple security issues from upstream's MOODLE_22_STABLE |
---|
617 | branch (Closes: #682203) |
---|
618 | - MDL-33808 - format title on the repository instance screen |
---|
619 | - MDL-33808 - incorrect cleaning of repository names |
---|
620 | Both patches fix CVE-2012-3393. |
---|
621 | - MDL-23254 Authentication : used httpswwwroot as root url during |
---|
622 | authentication procedure where $PAGE->https_required() is |
---|
623 | specified. |
---|
624 | Fix CVE-2012-3394 |
---|
625 | - MDL-27675 - Feedback module abuses data_submitted |
---|
626 | Fix CVE-2012-3395 |
---|
627 | - MDL-34045 fix invalid idnumber field type in cohort form |
---|
628 | Fix CVE-2012-3396 |
---|
629 | - MDL-33466: Group restriction should hide activity even with 'show |
---|
630 | availability' option |
---|
631 | Fix CVE-2012-3397 |
---|
632 | |
---|
633 | -- Didier Raboud <odyx@debian.org> Fri, 20 Jul 2012 19:52:07 +0200 |
---|
634 | |
---|
635 | moodle (2.2.3.dfsg-2) unstable; urgency=low |
---|
636 | |
---|
637 | * Don't depend on ucf during purge (closes: #678027) |
---|
638 | |
---|
639 | -- Tomasz Muras <nexor1984@gmail.com> Thu, 21 Jun 2012 17:31:35 +0200 |
---|
640 | |
---|
641 | moodle (2.2.3.dfsg-1) unstable; urgency=high |
---|
642 | |
---|
643 | * New upstream version: 2.2.3+ (Build: 20120615) |
---|
644 | closes: #674163 |
---|
645 | |
---|
646 | -- Tomasz Muras <nexor1984@gmail.com> Sat, 16 Jun 2012 21:39:12 +0200 |
---|
647 | |
---|
648 | moodle (2.2.2.dfsg-2) unstable; urgency=low |
---|
649 | |
---|
650 | * Fix path to cron (closes: #669229) |
---|
651 | |
---|
652 | -- Tomasz Muras <nexor1984@gmail.com> Wed, 18 Apr 2012 19:34:35 +0200 |
---|
653 | |
---|
654 | moodle (2.2.2.dfsg-1) unstable; urgency=low |
---|
655 | |
---|
656 | * New upstream version: 2.2.2+ (Build: 20120412) |
---|
657 | closes: #658865,#664260,#647489,#443949,#441013,#505044,#375290 |
---|
658 | * Updated Standards-Versions to 3.9.3 |
---|
659 | * Removing Dan from maintainers (thanks for all your work Dan!) |
---|
660 | |
---|
661 | -- Tomasz Muras <nexor1984@gmail.com> Sun, 15 Apr 2012 13:50:52 -0400 |
---|
662 | |
---|
663 | moodle (1.9.9.dfsg2-6) unstable; urgency=high |
---|
664 | |
---|
665 | * Backporting security fixes from Moodle 1.9.17 |
---|
666 | - MSA-12-00013 DB activtity export does not respect groups |
---|
667 | (CVE-2012-1155, closes: #668411) |
---|
668 | |
---|
669 | -- Tomasz Muras <nexor1984@gmail.com> Thu, 12 Apr 2012 21:55:48 +0100 |
---|
670 | |
---|
671 | moodle (1.9.9.dfsg2-5.1) unstable; urgency=low |
---|
672 | |
---|
673 | * Non-maintainer upload. |
---|
674 | * Fix pending l10n issues. Debconf translations: |
---|
675 | - Danish (Joe Hansen). Closes: #658747 |
---|
676 | - Dutch; (Jeroen Schot). Closes: #660243 |
---|
677 | - Brazilian Portuguese (Adriano Rafael Gomes). Closes: #668092 |
---|
678 | - Italian (Beatrice Torracca). Closes: #668161 |
---|
679 | |
---|
680 | -- Christian Perrier <bubulle@debian.org> Tue, 10 Apr 2012 07:36:58 +0200 |
---|
681 | |
---|
682 | moodle (1.9.9.dfsg2-5) unstable; urgency=high |
---|
683 | |
---|
684 | * Backporting security fixes from Moodle 1.9.15 and 1.9.16 |
---|
685 | (closes: #652235) |
---|
686 | - MSA-11-0054 Personal information leak |
---|
687 | - MSA-11-0045 Potential to masquerade through MNet (CVE-2011-4584) |
---|
688 | - MSA-11-0046 Insecure authentication transmission (CVE-2011-4585) |
---|
689 | - MSA-11-0047 Possible injection attack in Calendar (CVE-2011-4586) |
---|
690 | - MSA-11-0048 Password loss issue (CVE-2011-4587) |
---|
691 | - MSA-11-0049 Network restriction ineffective with MNet (CVE-2011-4588) |
---|
692 | - MSA-12-0007 Email injection prevention (CVE-2012-0796) |
---|
693 | - MSA-12-0006 Additional email address validation (CVE-2012-0795) |
---|
694 | - MSA-12-0005 Encryption enhancement (CVE-2012-0794) |
---|
695 | - MSA-12-0004 Added profile image security (CVE-2012-0793) |
---|
696 | - MSA-12-0003 Added password protection |
---|
697 | - MSA-12-0002 Personal information leak, previously MSA-11-0040 |
---|
698 | (CVE-2011-4308 and CVE-2012-0792) |
---|
699 | - MSA-12-0001 Recaptcha transmission consistency issue |
---|
700 | |
---|
701 | -- Tomasz Muras <nexor1984@gmail.com> Mon, 27 Feb 2012 21:14:48 +0000 |
---|
702 | |
---|
703 | moodle (1.9.9.dfsg2-4) unstable; urgency=high |
---|
704 | |
---|
705 | * Backporting security fixes from Moodle 1.9.13 and 1.9.14 |
---|
706 | - MSA-11-0026 Fields in user upload CSV not being escaped (MDL-28360) |
---|
707 | - MSA-11-0025 Group names in user upload CSV not being escaped (MDL-28197) |
---|
708 | - MSA-11-0024 Recaptcha images were being authenticated |
---|
709 | from an older server (MDL-27889) (closes: #638935) |
---|
710 | - MSA-11-0020 Continue links in error messages can lead offsite (MDL-27464) |
---|
711 | - MSA-11-0038 Database injection protection strengthened (MDL-29033) |
---|
712 | - MSA-11-0037 Course section editing injection vulnerability (MDL-28722) |
---|
713 | - MSA-11-0036 Messaging refresh vulnerability (MDL-29311) |
---|
714 | - MSA-11-0032 MNET SSL validation issue (MDL-29148) |
---|
715 | - MSA-11-0031 Forms API constant issue (MDL-23872) |
---|
716 | * Make sure that smarty & yui symlinks are correct (closes: 603255,614712) |
---|
717 | |
---|
718 | -- Tomasz Muras <nexor1984@gmail.com> Fri, 28 Oct 2011 13:29:14 +0100 |
---|
719 | |
---|
720 | moodle (1.9.9.dfsg2-3) unstable; urgency=high |
---|
721 | |
---|
722 | * Backporting security fixes from Moodle 1.9.11 and 1.9.12 |
---|
723 | - MSA-11-0002 Cross-site request forgery vulnerability in RSS block (MDL-18839) |
---|
724 | - MSA-11-0003 Cross-site scripting vulnerability in tag autocomplete (MDL-25754) |
---|
725 | - MSA-11-0008 IMS enterprise enrolment file may disclose sensitive information (MDL-26189) |
---|
726 | - MSA-11-0011 Multiple cross-site scripting problems in media filter (MDL-26030) |
---|
727 | - MSA-11-0015 Cross Site Scripting through URL encoding (MDL-26966) |
---|
728 | - MSA-11-0013 Group/Quiz permissions issue (MDL-25122) |
---|
729 | |
---|
730 | -- Tomasz Muras <nexor1984@gmail.com> Wed, 18 May 2011 20:57:59 +0100 |
---|
731 | |
---|
732 | moodle (1.9.9.dfsg2-2.1) unstable; urgency=low |
---|
733 | |
---|
734 | * Non-maintainer upload. |
---|
735 | * Fix encoding of Swedish debconf translation. |
---|
736 | |
---|
737 | -- Christian Perrier <bubulle@debian.org> Tue, 11 Jan 2011 22:03:44 +0100 |
---|
738 | |
---|
739 | moodle (1.9.9.dfsg2-2) unstable; urgency=low |
---|
740 | |
---|
741 | * Added Romanian translation |
---|
742 | * Updated Japanese translation (closes: #596820) |
---|
743 | * Backporting security fixes from Moodle 1.9.10 (closes: #601384) |
---|
744 | - Updated embedded CAS to 1.1.3 |
---|
745 | - Added patch for MDL-24523: |
---|
746 | clean_text() not filtering text in markdown format |
---|
747 | - Added patch for MDL-24810 and upgraded customized HTML Purifier to 4.2.0 |
---|
748 | - Added patch for MDL-24258: |
---|
749 | students can delete their forum posts later than $CFG->maxeditingtime |
---|
750 | under certain conditions |
---|
751 | - Added patch for MDL-23377: |
---|
752 | Can't delete quiz attempts in course without enrolled students |
---|
753 | |
---|
754 | -- Tomasz Muras <nexor1984@gmail.com> Sat, 30 Oct 2010 12:19:28 +0100 |
---|
755 | |
---|
756 | moodle (1.9.9.dfsg2-1) unstable; urgency=low |
---|
757 | |
---|
758 | * Enable HTML purifier by default |
---|
759 | * Added Janapenese translation (closes: #593808) |
---|
760 | * Removed from source swf files without a source code |
---|
761 | and added README.source |
---|
762 | * Updated bundled HTML purifier library - fix for |
---|
763 | CVE-2010-2479 (closes: #593301) |
---|
764 | |
---|
765 | -- Tomasz Muras <nexor1984@gmail.com> Tue, 24 Aug 2010 20:35:29 +0100 |
---|
766 | |
---|
767 | moodle (1.9.9.dfsg-1) unstable; urgency=low |
---|
768 | |
---|
769 | [ Jonathan Wiltshire ] |
---|
770 | * Debconf templates and debian/control reviewed by the debian-l10n- |
---|
771 | english team as part of the Smith review project. Closes: #588871 |
---|
772 | * Debconf translation updates: |
---|
773 | - Russian (closes: #589247) |
---|
774 | - Czech (closes: #589265) |
---|
775 | - Swedish (closes: #589270) |
---|
776 | - French (closes: #589510) |
---|
777 | - German (closes: #590120) |
---|
778 | - Spanish (closes: #590449) |
---|
779 | - Portugese (closes: #590556) |
---|
780 | |
---|
781 | [ Tomasz Muras ] |
---|
782 | * New debconf translation - Polish |
---|
783 | * Removed .swf files as non-free (closes: #591201) |
---|
784 | * Fixed generation of config.php for postgres (thanks Giles Westwood) |
---|
785 | |
---|
786 | -- Tomasz Muras <nexor1984@gmail.com> Sun, 15 Aug 2010 21:19:10 +0100 |
---|
787 | |
---|
788 | moodle (1.9.9-2) unstable; urgency=low |
---|
789 | |
---|
790 | * Fixed JS includes for YUI library (closes: #589612) |
---|
791 | * Bumped standards version to 3.9.0 |
---|
792 | * Moved BSD licenses into copyright (fixes lintian warning) |
---|
793 | * Setting DM-Upload-Allowed as agreed with Xavier Oswald <xoswald@debian.org> |
---|
794 | |
---|
795 | -- Tomasz Muras <nexor1984@gmail.com> Thu, 22 Jul 2010 23:23:22 +0100 |
---|
796 | |
---|
797 | moodle (1.9.9-1) unstable; urgency=low |
---|
798 | |
---|
799 | * Rewritten debian/rules |
---|
800 | * Removed unnecessary usr/share/moodle/update-notifier |
---|
801 | * New Upstream Version: 1.9.9 |
---|
802 | * New upstream fixes CVE-2010-1619 (closes: #585425) |
---|
803 | * New upstream fixes MSA-10-0011 (closes: #586280) |
---|
804 | |
---|
805 | -- Tomasz Muras <nexor1984@gmail.com> Wed, 23 Jun 2010 21:00:39 +0100 |
---|
806 | |
---|
807 | moodle (1.9.8-1) unstable; urgency=low |
---|
808 | |
---|
809 | [Tomasz Muras] |
---|
810 | * New Maintainer (closes: #581229, #574969). |
---|
811 | * New Upstream Version (closes: #475535). |
---|
812 | * Added information about flvplayer to copyright (closes: #526543). |
---|
813 | * phpCAS XSS vulnerability fixed in mainstream Moodle 1.9.8 (closes: #574757). |
---|
814 | * Several security issues fixed in upstream (closes: #576189). |
---|
815 | * Moodle depends on postgresql or MySQL (closes: #551399). |
---|
816 | * Re-written to use dbconfig-common (closes: #302205). |
---|
817 | * Updated copyright with two new entires (closes: #526543). |
---|
818 | * Drop use of wwwconfig (closes: #389502). |
---|
819 | * Package is now not creating Apache config automatically (closes: #555672). |
---|
820 | It's up to the user to configure the webserver but package provides the |
---|
821 | templates. |
---|
822 | * Added "allow from localhost" (closes: #551402). |
---|
823 | * Asking for wwwroot during the installation (closes: #302207). |
---|
824 | * Removing nusoap as it's not necessary for PHP 5 (closes: #529573). |
---|
825 | |
---|
826 | [Xavier Oswald] |
---|
827 | * Add myself as uploader. |
---|
828 | * Bump Stadards-Version to 3.8.4. |
---|
829 | * debian/copyright: update with DEP-5 format proposal. |
---|
830 | * Switch to dpkg-source 3.0 (quilt) format |
---|
831 | |
---|
832 | [Francois Marier] |
---|
833 | * Bump debhelper compatibility to 7 |
---|
834 | * Add a watch file |
---|
835 | * debian/control (dependencies) |
---|
836 | - Depend on libjs-yui instead of yui (renamed after lenny) |
---|
837 | - Add dependency on unzip |
---|
838 | - Recommend php5-xmlrpc and aspell |
---|
839 | - Suggest clamav |
---|
840 | - Demoted mimetex to recommended |
---|
841 | * Turn 'dbpersist' on by default in the generated config.php |
---|
842 | * Include whitespace warning at the end of generated config.php |
---|
843 | * Set the path to du, unzip and zip |
---|
844 | * Fix a warning with E_STRICT is turned on |
---|
845 | |
---|
846 | -- Xavier Oswald <xoswald@debian.org> Sun, 20 Jun 2010 16:02:14 +0200 |
---|
847 | |
---|
848 | moodle (1.8.2.dfsg-4) unstable; urgency=high |
---|
849 | |
---|
850 | * Improve the fix for log URL filtering as suggested by Steffen Joeris |
---|
851 | (MSA-09-0007 / CVE-2009-0500) |
---|
852 | * Backport upstream fix for calendar export leakage |
---|
853 | (MSA-09-0006 / CVE-2009-0501) |
---|
854 | |
---|
855 | -- Francois Marier <francois@debian.org> Thu, 12 Feb 2009 17:27:07 +1300 |
---|
856 | |
---|
857 | moodle (1.8.2.dfsg-3) unstable; urgency=high |
---|
858 | |
---|
859 | * Delete unused (but vulnerable) Spellchecker plugin to htmlarea |
---|
860 | (MSA-09-0005, CVE-2008-5153) |
---|
861 | * Hide images of deleted users (MSA-09-0001) |
---|
862 | * Fix user pix disclosure (MSA-09-0002) |
---|
863 | * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004) |
---|
864 | * Fix XSS vulnerabilities in logs (MSA-09-0007) |
---|
865 | * Fix CSRF vulnerability in forum code (MSA-09-0008) |
---|
866 | |
---|
867 | -- Francois Marier <francois@debian.org> Mon, 02 Feb 2009 19:09:10 +1300 |
---|
868 | |
---|
869 | moodle (1.8.2.dfsg-2) unstable; urgency=high |
---|
870 | |
---|
871 | [ Dan Poltawski ] |
---|
872 | * Patch SQL injection bug in hotpot module (MSA-08-0010) |
---|
873 | * Fix XSS bug in logged urls (MDL-11414) |
---|
874 | * Fix XSS bug in install script (MSA-08-0004) |
---|
875 | * Fix insufficient access control in Login as feature (MSA-08-0003) |
---|
876 | * Profiles of deleted users were accessible allowing for spam (MSA-08-0015) |
---|
877 | * Deficincy in text cleaning functions allowed for XSS (MSA-08-0021) |
---|
878 | * Fix CSRF in messaging settings (MSA-08-0023) |
---|
879 | * Fix anonymous group creation and html injection (MDL-11759) |
---|
880 | * Fix SQL injection bug in mnet (MDL-9288) |
---|
881 | * Fix SQL injection bug in restore (MDL-11857) |
---|
882 | * Insufficient cleaning of essay questions (MDL-12079) |
---|
883 | * Fix insufficient cleaning of PARAM_HOST (MDL-12793) |
---|
884 | * Fix XSS bug in logged urls (MDL-11414) |
---|
885 | * Fix uncleaned params in wiki (MDL-14806) |
---|
886 | |
---|
887 | [ Francois Marier ] |
---|
888 | * Update html2text to prevent code execution attacks (closes: #508909) |
---|
889 | |
---|
890 | -- Francois Marier <francois@debian.org> Wed, 17 Dec 2008 13:37:10 +1300 |
---|
891 | |
---|
892 | moodle (1.8.2.dfsg-1) unstable; urgency=high |
---|
893 | |
---|
894 | * Replace html2text with a GPL alternative (closes: #507947) |
---|
895 | * Fix XSS in the wiki module (CVE-2008-5432, closes: #508593) |
---|
896 | * Add Dan Poltawski to the uploaders field |
---|
897 | |
---|
898 | -- Francois Marier <francois@debian.org> Tue, 16 Dec 2008 20:24:27 +1300 |
---|
899 | |
---|
900 | moodle (1.8.2-2) unstable; urgency=high |
---|
901 | |
---|
902 | * Adopt orphaned package (closes: #494642) |
---|
903 | * Acknowledge security NMU (closes: #489533, #432264) |
---|
904 | * Add Vcs-* fields to debian/control |
---|
905 | |
---|
906 | Release-critical and security bugs: |
---|
907 | |
---|
908 | * Depend on smarty instead of using the embedded copy that is shipped |
---|
909 | with Moodle (closes: #471158, #488525, #504345) |
---|
910 | * Patch security bug in the embedded (and customised) copy of phpmailer |
---|
911 | (CVE-2007-3215, closes: #429339, #429190) |
---|
912 | * Patch cross-site scripting bug (CVE-2008-3326, closes: #492492) |
---|
913 | * Patch snoopy input sanitising (CVE-2008-4796, closes: #504235) |
---|
914 | * Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069) |
---|
915 | |
---|
916 | Trivial bug fixes: |
---|
917 | |
---|
918 | * Depend on zip (closes: #408995) |
---|
919 | * Add mysql-client as an alternative to postgresql-client |
---|
920 | (closes: #417554, #469094) |
---|
921 | * Recommend php5-ldap (closes: #425839) |
---|
922 | * Delete unnecessary script with bashisms (closes: #489634) |
---|
923 | |
---|
924 | Lintian warnings: |
---|
925 | |
---|
926 | * Bump Standards-Version to 3.8.0 |
---|
927 | * Add homepage field to debian/control |
---|
928 | * Remove cvsignore file |
---|
929 | * Remove extra license file |
---|
930 | * Depend on yui instead of using an embedded copy |
---|
931 | |
---|
932 | -- Francois Marier <francois@debian.org> Fri, 07 Nov 2008 08:24:28 +1300 |
---|
933 | |
---|
934 | moodle (1.8.2-1.3) unstable; urgency=high |
---|
935 | |
---|
936 | * Non-maintainer upload by the Security Team. |
---|
937 | * Fix broken HTML filtering which could be used to perform XSS attacks, |
---|
938 | bypass restrictions or possibly execute arbitrary code |
---|
939 | (CVE-2008-1502; Closes: #489533). |
---|
940 | |
---|
941 | -- Nico Golde <nion@debian.org> Sun, 20 Jul 2008 18:07:55 +0200 |
---|
942 | |
---|
943 | moodle (1.8.2-1.2ubuntu2) intrepid; urgency=low |
---|
944 | |
---|
945 | * SECURITY UPDATE: arbitrary code execution via multiple vectors. |
---|
946 | - Add CVE-2008-1502.dpatch: upstream KSES lib fixes, thanks to Nico Golde. |
---|
947 | |
---|
948 | -- Kees Cook <kees@ubuntu.com> Wed, 22 Oct 2008 14:01:33 -0700 |
---|
949 | |
---|
950 | moodle (1.8.2-1.2ubuntu1) intrepid; urgency=low |
---|
951 | |
---|
952 | * Merge from debian unstable, remaining changes: |
---|
953 | - Suggest php5-ldap |
---|
954 | - Modify Maintainer value to match Debian-Maintainer-Field Spec |
---|
955 | - debian/postinst ucf fixes |
---|
956 | - drop use of wwwconfig (database code in postinst stolen from mythtv) |
---|
957 | |
---|
958 | -- Oliver Grawert <ogra@ubuntu.com> Thu, 01 May 2008 02:19:09 +0100 |
---|
959 | |
---|
960 | moodle (1.8.2-1.2) unstable; urgency=low |
---|
961 | |
---|
962 | * Non-maintainer upload to fix pending l10n issues. |
---|
963 | * Debconf translations: |
---|
964 | - Japanese. Closes: #413105 |
---|
965 | - Spanish. Closes: #413779 |
---|
966 | - German. Closes: #415888 |
---|
967 | - Dutch. Closes: #425711 |
---|
968 | - Slovak. Closes: #437511 |
---|
969 | - Brazilian Portuguese. Closes: #437680 |
---|
970 | - Finnish. Closes: #468212 |
---|
971 | - Basque. Closes: #470362 |
---|
972 | - Galician. Closes: #470430 |
---|
973 | - Vietnamese. Closes: #470602 |
---|
974 | - Russian. Closes: #470790 |
---|
975 | * [Lintian] Fix format of NEWS.Debian |
---|
976 | * [Lintian] Move debconf dependency to Pre-Depends as it is used |
---|
977 | in the preinst script |
---|
978 | |
---|
979 | -- Christian Perrier <bubulle@debian.org> Fri, 14 Mar 2008 07:33:53 +0100 |
---|
980 | |
---|
981 | moodle (1.8.2-1.1) unstable; urgency=low |
---|
982 | |
---|
983 | * Non-maintainer upload from the Zurich BSP |
---|
984 | * Added dependency on postgresql-client (Closes: #431589) |
---|
985 | |
---|
986 | -- Tobias Klauser <tklauser@access.unizh.ch> Sat, 12 Jan 2008 17:04:03 +0100 |
---|
987 | |
---|
988 | moodle (1.8.2-1ubuntu4) hardy; urgency=low |
---|
989 | |
---|
990 | * debian/postinst: ... except we should explicitly pass --debconf-ok |
---|
991 | to ucf, for compatibility with older versions. |
---|
992 | |
---|
993 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 28 Mar 2008 01:16:24 +0000 |
---|
994 | |
---|
995 | moodle (1.8.2-1ubuntu3) hardy; urgency=low |
---|
996 | |
---|
997 | * debian/postinst: Only call db_stop after ucf has been run in |
---|
998 | handle_config(), since ucf itself uses debconf; and drop the |
---|
999 | "exec 0<&1" workaround which no longer matters. LP: #203844 |
---|
1000 | |
---|
1001 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 28 Mar 2008 00:37:00 +0000 |
---|
1002 | |
---|
1003 | moodle (1.8.2-1ubuntu2) gutsy; urgency=low |
---|
1004 | |
---|
1005 | * Package changed to avoid use of wwwconfig; borrowed database setup code |
---|
1006 | from Ubuntu mythtv package. |
---|
1007 | |
---|
1008 | -- Matt Oquist <moquist@majen.net> Sat, 28 Jul 2007 16:14:18 +0200 |
---|
1009 | |
---|
1010 | moodle (1.8.2-1ubuntu1) gutsy; urgency=low |
---|
1011 | |
---|
1012 | * Merge from Debian unstable. Remaining Ubuntu changes: |
---|
1013 | - Depends on postgresql-client |
---|
1014 | - Suggest php5-ldap |
---|
1015 | - Modify Maintainer value to match Debian-Maintainer-Field Spec |
---|
1016 | |
---|
1017 | -- Vincent Legout <bixente44@gmail.com> Tue, 17 Jul 2007 16:14:18 +0200 |
---|
1018 | |
---|
1019 | moodle (1.8.2-1) unstable; urgency=low |
---|
1020 | |
---|
1021 | * New upstream release, fixes security bug, closes: #432264 |
---|
1022 | |
---|
1023 | -- Isaac Clerencia <isaac@debian.org> Mon, 09 Jul 2007 00:24:17 +0200 |
---|
1024 | |
---|
1025 | moodle (1.8.1-1ubuntu1) gutsy; urgency=low |
---|
1026 | |
---|
1027 | * Merge from debian unstable, remaining changes: |
---|
1028 | - Depends on postgresql-client |
---|
1029 | - Suggest php5-ldap |
---|
1030 | - Set apache2 as default in debian/templates |
---|
1031 | - Update Maintainer field in debian/control |
---|
1032 | |
---|
1033 | -- Luca Falavigna <dktrkranz@ubuntu.com> Fri, 15 Jun 2007 23:33:55 +0100 |
---|
1034 | |
---|
1035 | moodle (1.8.1-1) unstable; urgency=low |
---|
1036 | |
---|
1037 | * New upstream release |
---|
1038 | * Add php5-curl | php4-curl dependency for the new network features |
---|
1039 | * No longer depend on php4 and apache 1 |
---|
1040 | |
---|
1041 | -- Isaac Clerencia <isaac@debian.org> Fri, 15 Jun 2007 14:12:43 +0200 |
---|
1042 | |
---|
1043 | moodle (1.7.2-1ubuntu2) gutsy; urgency=low |
---|
1044 | |
---|
1045 | * Switch back to postgresql-client and postgresql (LP: 110054) |
---|
1046 | * Suggest php5-ldap (LP: 107713) |
---|
1047 | |
---|
1048 | -- Luca Falavigna <dktrkranz@ubuntu.com> Sun, 10 Jun 2007 23:56:16 +0200 |
---|
1049 | |
---|
1050 | moodle (1.7.2-1ubuntu1) gutsy; urgency=low |
---|
1051 | |
---|
1052 | * Merge from Debian unstable. Remaining Ubuntu changes: |
---|
1053 | + debian/control: |
---|
1054 | - php5 by default. |
---|
1055 | - Add postgresql-client-8.1 to Depends. |
---|
1056 | - Update Recommends alternate to postgresql-8.1. |
---|
1057 | + debian/templates: Ensure the default corresponds to the install- |
---|
1058 | time dependencies (apache2). |
---|
1059 | * Modify Maintainer value to match Debian-Maintainer-Field Spec |
---|
1060 | |
---|
1061 | -- Arthur Loiret <freacky22527@free.fr> Sun, 3 Jun 2007 20:53:01 +0200 |
---|
1062 | |
---|
1063 | moodle (1.7.2-1) unstable; urgency=low |
---|
1064 | |
---|
1065 | * New upstream release |
---|
1066 | |
---|
1067 | -- Isaac Clerencia <isaac@debian.org> Fri, 01 Jun 2007 12:54:59 +0200 |
---|
1068 | |
---|
1069 | moodle (1.7.1-1) experimental; urgency=low |
---|
1070 | |
---|
1071 | * New upstream release |
---|
1072 | |
---|
1073 | -- Isaac Clerencia <isaac@debian.org> Wed, 24 Jan 2007 14:21:34 +0100 |
---|
1074 | |
---|
1075 | moodle (1.7+20061215-1) experimental; urgency=low |
---|
1076 | |
---|
1077 | * New upstream release |
---|
1078 | |
---|
1079 | -- Isaac Clerencia <isaac@debian.org> Fri, 15 Dec 2006 13:39:14 +0100 |
---|
1080 | |
---|
1081 | moodle (1.6.3-2ubuntu1) feisty; urgency=low |
---|
1082 | |
---|
1083 | * Merge from debian unstable, remaining changes: |
---|
1084 | - debian/control: |
---|
1085 | + php5 by default. |
---|
1086 | + Add postgresql-client-8.1 to Depends. |
---|
1087 | + Update Recommends alternate to postgresql-8.1. |
---|
1088 | - debian/templates: Ensure the default corresponds to the install- |
---|
1089 | time dependencies (apache2). |
---|
1090 | |
---|
1091 | -- Kees Cook <kees@ubuntu.com> Mon, 18 Dec 2006 12:28:27 -0800 |
---|
1092 | |
---|
1093 | moodle (1.6.3-2) unstable; urgency=high |
---|
1094 | |
---|
1095 | * Urgency high as it fixes a security bug and should enter Etch ASAP |
---|
1096 | * Fix security bug in the forum module (discuss.php) |
---|
1097 | |
---|
1098 | -- Isaac Clerencia <isaac@debian.org> Thu, 14 Dec 2006 14:14:27 +0100 |
---|
1099 | |
---|
1100 | moodle (1.6.3-1ubuntu1) feisty; urgency=low |
---|
1101 | |
---|
1102 | * Merge from debian unstable. Remaining Ubuntu changes: |
---|
1103 | - debian/control: |
---|
1104 | + php5 by default. |
---|
1105 | + Add postgresql-client-8.1 to Depends. |
---|
1106 | + Update Recommends alternate to postgresql-8.1. |
---|
1107 | - debian/templates: Ensure the default corresponds to the install- |
---|
1108 | time dependencies (apache2). |
---|
1109 | |
---|
1110 | -- Kees Cook <kees@ubuntu.com> Wed, 29 Nov 2006 16:08:37 -0800 |
---|
1111 | |
---|
1112 | moodle (1.6.3-1) unstable; urgency=low |
---|
1113 | |
---|
1114 | * New upstream release |
---|
1115 | |
---|
1116 | -- Isaac Clerencia <isaac@debian.org> Thu, 19 Oct 2006 11:37:40 +0200 |
---|
1117 | |
---|
1118 | moodle (1.6.2+20060930-1) unstable; urgency=high |
---|
1119 | |
---|
1120 | * Urgency high because it fixes a critical security hole |
---|
1121 | * New upstream release, closes: #390294, critical security hole |
---|
1122 | * Notify the user if the selected server isn't installed, select apache2 |
---|
1123 | by default instead of apache, closes: #389806 |
---|
1124 | * Add a configuration section for php5 in apache.conf, closes: #387609 |
---|
1125 | |
---|
1126 | -- Isaac Clerencia <isaac@debian.org> Sat, 30 Sep 2006 12:14:29 +0100 |
---|
1127 | |
---|
1128 | moodle (1.6.2-1ubuntu1.1) edgy; urgency=low |
---|
1129 | |
---|
1130 | * SECURITY UPDATE: SQL injection vulnerability |
---|
1131 | * Add '01_sql-injection-fix.dpatch': Correctly escape tag options. |
---|
1132 | * References: |
---|
1133 | CVE-2006-5219 |
---|
1134 | http://cvs.moodle.com/blog/index.php?r1=1.18.2.2&r2=1.18.2.3 |
---|
1135 | |
---|
1136 | -- Kees Cook <kees@ubuntu.com> Wed, 11 Oct 2006 15:25:15 -0700 |
---|
1137 | |
---|
1138 | moodle (1.6.2-1ubuntu1) edgy; urgency=low |
---|
1139 | |
---|
1140 | * Merge from Debian unstable. The following Ubuntu changes remain: |
---|
1141 | - debian/control: |
---|
1142 | + Apply patch from Ubuntu #59472 to use php5 |
---|
1143 | (Closes Ubuntu: #59472), |
---|
1144 | + Add postgresql-client-8.1 to Depends (Closes Ubuntu: #51813), |
---|
1145 | + Update Recommends alternate to postgresql-8.1, |
---|
1146 | - debian/templates: Ensure the default corresponds to the install- |
---|
1147 | time dependencies (apache2) so we can avoid the mess that was |
---|
1148 | worked around in dapper-security. |
---|
1149 | |
---|
1150 | -- Daniel T Chen <crimsun@ubuntu.com> Sat, 23 Sep 2006 22:26:13 -0400 |
---|
1151 | |
---|
1152 | moodle (1.6.2-1) unstable; urgency=low |
---|
1153 | |
---|
1154 | * New upstream release, closes: #387177 |
---|
1155 | * Debconf translation updates/additions: |
---|
1156 | * Czech, closes: #371834 |
---|
1157 | * French, closes: 372713 |
---|
1158 | * Portuguese, closes: #381194 |
---|
1159 | * Install config-dist.php in the documentation directory, closes: #386476 |
---|
1160 | |
---|
1161 | -- Isaac Clerencia <isaac@debian.org> Tue, 12 Sep 2006 22:06:34 +0200 |
---|
1162 | |
---|
1163 | moodle (1.6.1+20060825-1) unstable; urgency=low |
---|
1164 | |
---|
1165 | * New upstream release |
---|
1166 | * Moodle neither uses nor plans to use ADODB_Pager, so it's not affected by |
---|
1167 | #360396, but include patch for it anyway, just in case somebody decides to |
---|
1168 | use it out of the blue |
---|
1169 | |
---|
1170 | -- Isaac Clerencia <isaac@debian.org> Fri, 25 Aug 2006 08:56:42 +0200 |
---|
1171 | |
---|
1172 | moodle (1.6-2ubuntu1) edgy; urgency=low |
---|
1173 | |
---|
1174 | [ Ubuntu Merge-o-Matic ] |
---|
1175 | * Merge from debian unstable. |
---|
1176 | |
---|
1177 | -- Daniel T Chen <crimsun@ubuntu.com> Thu, 6 Jul 2006 20:30:30 -0400 |
---|
1178 | |
---|
1179 | moodle (1.6-2) unstable; urgency=low |
---|
1180 | |
---|
1181 | * Fix two problems in preinst, thanks to Jordi Mallach's workmate |
---|
1182 | * Ship cron file in package instead of generating it at postinst |
---|
1183 | |
---|
1184 | -- Isaac Clerencia <isaac@debian.org> Mon, 3 Jul 2006 10:25:31 +0200 |
---|
1185 | |
---|
1186 | moodle (1.6-1ubuntu1) edgy; urgency=low |
---|
1187 | |
---|
1188 | * Merge from debian unstable: |
---|
1189 | - Use Debian Sid's packaging save in debian/templates where we need |
---|
1190 | to make sure the default corresponds to the install-time |
---|
1191 | dependencies (apache2) so we can avoid the mess that was worked |
---|
1192 | around in dapper-security. |
---|
1193 | |
---|
1194 | -- Daniel T Chen <crimsun@ubuntu.com> Fri, 30 Jun 2006 19:21:20 +0100 |
---|
1195 | |
---|
1196 | moodle (1.6-1) unstable; urgency=low |
---|
1197 | |
---|
1198 | * New upstream release, needs newer PHP version, so updated versioned |
---|
1199 | dependencies |
---|
1200 | |
---|
1201 | -- Isaac Clerencia <isaac@debian.org> Mon, 19 Jun 2006 18:21:07 +0200 |
---|
1202 | |
---|
1203 | moodle (1.5.4-1) unstable; urgency=low |
---|
1204 | |
---|
1205 | * New upstream release |
---|
1206 | * Depend on ucf |
---|
1207 | * Move debhelper to Build-Depends as it's used in the clean target of |
---|
1208 | debian/rules |
---|
1209 | * Add colons to debconf template short descriptions |
---|
1210 | * Bumped Standard-Versions to 3.7.2, no changes needed |
---|
1211 | |
---|
1212 | -- Isaac Clerencia <isaac@debian.org> Tue, 30 May 2006 17:48:11 +0200 |
---|
1213 | |
---|
1214 | moodle (1.5.3+20060206-1) unstable; urgency=low |
---|
1215 | |
---|
1216 | * New package created from 1.5.3+ branch, which includes several bugfixes |
---|
1217 | * Allow moodle to be installed using php5 instead of php4, closes: #351298 |
---|
1218 | * Changed apache | httpd to apache2-mpm-prefork | httpd |
---|
1219 | |
---|
1220 | -- Isaac Clerencia <isaac@debian.org> Mon, 6 Feb 2006 09:49:09 +0100 |
---|
1221 | |
---|
1222 | moodle (1.5.3+20060108-2) unstable; urgency=low |
---|
1223 | |
---|
1224 | * Throw cronjob output to /dev/null, closes: #349971 |
---|
1225 | |
---|
1226 | -- Isaac Clerencia <isaac@debian.org> Thu, 26 Jan 2006 13:01:58 +0100 |
---|
1227 | |
---|
1228 | moodle (1.5.3+20060108-1ubuntu1) dapper; urgency=low |
---|
1229 | |
---|
1230 | * Resynchronise with Debian. |
---|
1231 | |
---|
1232 | -- Daniel T Chen <crimsun@fungus.sh.nu> Mon, 09 Jan 2006 13:49:39 +0000 |
---|
1233 | |
---|
1234 | moodle (1.5.3+20060108-1) unstable; urgency=low |
---|
1235 | |
---|
1236 | * New package created from 1.5.3+ branch, which closes: #346509, a |
---|
1237 | security bug in the ADODB code included in Moodle |
---|
1238 | * Check for /usr/share/moodle/admin/cron.php existence in the cronjob, |
---|
1239 | closes: #342304 |
---|
1240 | * Use php4-cli instead of wget to run the cronjob, closes: #345930 |
---|
1241 | |
---|
1242 | -- Isaac Clerencia <isaac@debian.org> Sun, 8 Jan 2006 17:09:57 +0100 |
---|
1243 | |
---|
1244 | moodle (1.5.3-1ubuntu1) dapper; urgency=low |
---|
1245 | |
---|
1246 | * Resynchronise with Debian. |
---|
1247 | |
---|
1248 | -- Stephan Hermann <sh@sourcecode.de> Wed, 28 Dec 2005 18:25:41 +0100 |
---|
1249 | |
---|
1250 | moodle (1.5.3-1) unstable; urgency=low |
---|
1251 | |
---|
1252 | * New upstream release |
---|
1253 | |
---|
1254 | -- Isaac Clerencia <isaac@debian.org> Mon, 21 Nov 2005 21:09:21 +0100 |
---|
1255 | |
---|
1256 | moodle (1.5.2-1ubuntu1) breezy; urgency=low |
---|
1257 | |
---|
1258 | * Resync with debian (security update) |
---|
1259 | * changed dependencys to php5 |
---|
1260 | * changed apache dependency to apache2 |
---|
1261 | * References |
---|
1262 | CAN-2005-2247 |
---|
1263 | |
---|
1264 | -- Andrew Mitchell <ajmitch@ubuntu.com> Thu, 13 Oct 2005 02:00:59 +1300 |
---|
1265 | |
---|
1266 | moodle (1.5.2-1) unstable; urgency=low |
---|
1267 | |
---|
1268 | * New upstream release |
---|
1269 | |
---|
1270 | -- Isaac Clerencia <isaac@debian.org> Wed, 20 Jul 2005 15:13:41 +0200 |
---|
1271 | |
---|
1272 | moodle (1.5.1-1) unstable; urgency=low |
---|
1273 | |
---|
1274 | * New upstream release |
---|
1275 | |
---|
1276 | -- Isaac Clerencia <isaac@debian.org> Tue, 12 Jul 2005 09:50:59 +0200 |
---|
1277 | |
---|
1278 | moodle (1.5-1) unstable; urgency=low |
---|
1279 | |
---|
1280 | * New upstream release |
---|
1281 | * Added Vietnamese debconf translation, closes: #312961 |
---|
1282 | |
---|
1283 | -- Isaac Clerencia <isaac@debian.org> Wed, 22 Jun 2005 22:18:26 +0200 |
---|
1284 | |
---|
1285 | moodle (1.4.4.dfsg.1-3) unstable; urgency=high |
---|
1286 | |
---|
1287 | * Urgency high as this upload closes a security bug |
---|
1288 | * Remove admin/delete.php on installation, fixes an important security bug |
---|
1289 | |
---|
1290 | -- Isaac Clerencia <isaac@debian.org> Mon, 30 May 2005 20:45:33 +0200 |
---|
1291 | |
---|
1292 | moodle (1.4.4.dfsg.1-2) unstable; urgency=low |
---|
1293 | |
---|
1294 | * Use find | xargs instead of rm to remove old sessions, closes: #300266 |
---|
1295 | |
---|
1296 | -- Isaac Clerencia <isaac@debian.org> Fri, 18 Mar 2005 18:47:32 +0100 |
---|
1297 | |
---|
1298 | moodle (1.4.4.dfsg.1-1) unstable; urgency=high |
---|
1299 | |
---|
1300 | * Urgency high as it closes a release critical bug and fixes some security |
---|
1301 | problems |
---|
1302 | |
---|
1303 | * New upstream release |
---|
1304 | |
---|
1305 | * Replaced non-free fonts with free fonts for some languages in the original |
---|
1306 | tarball, closes: #298938 |
---|
1307 | |
---|
1308 | * Set perms for /etc/moodle/config.php to 640 instead of 644, closes: #297237 |
---|
1309 | |
---|
1310 | * Use new option $CFG->respectsessionsettings = true; to clean sessions and |
---|
1311 | remove old sessions from /var/lib/moodle/sessions: closes: #295124 |
---|
1312 | |
---|
1313 | * Added cs.po debconf template translation, closes: #298208 |
---|
1314 | |
---|
1315 | * Remove /var/lib/moodle/ when purging |
---|
1316 | |
---|
1317 | -- Isaac Clerencia <isaac@debian.org> Thu, 10 Mar 2005 01:02:48 +0100 |
---|
1318 | |
---|
1319 | moodle (1.4.3-1) unstable; urgency=high |
---|
1320 | |
---|
1321 | * Urgency high as upstream release fixes several security bugs |
---|
1322 | * New upstream release |
---|
1323 | * Write database creation errors and warn the user about it, |
---|
1324 | closes: #285842, #285842 |
---|
1325 | |
---|
1326 | -- Isaac Clerencia <isaac@sindominio.net> Wed, 29 Dec 2004 00:49:52 +0100 |
---|
1327 | |
---|
1328 | moodle (1.4.2-2) unstable; urgency=low |
---|
1329 | |
---|
1330 | * Create user before creating database in postinst |
---|
1331 | |
---|
1332 | -- Isaac Clerencia <isaac@sindominio.net> Tue, 23 Nov 2004 10:55:28 +0100 |
---|
1333 | |
---|
1334 | moodle (1.4.2-1) unstable; urgency=high |
---|
1335 | |
---|
1336 | * New upstream release |
---|
1337 | * Urgency high, as this upstream release closes several security bugs |
---|
1338 | * Added some extra information to README.Debian, thanks to Kevin Coyner |
---|
1339 | * Added apache2 as a choice for autoconfiguration, closes: #275444 |
---|
1340 | |
---|
1341 | -- Isaac Clerencia <isaac@sindominio.net> Wed, 10 Nov 2004 13:18:41 +0100 |
---|
1342 | |
---|
1343 | moodle (1.4.1-2) unstable; urgency=medium |
---|
1344 | |
---|
1345 | * Urgency medium, as it fixes the "default username" problem, which is a |
---|
1346 | www-config bug but affects lots of moodle users |
---|
1347 | * Use moodle as default database username, currently uses www-data which |
---|
1348 | causes www-config to fail to create the database |
---|
1349 | * Enabled Tex math filter and added mimetex in Depends: |
---|
1350 | * Removed an extra line from README.Debian |
---|
1351 | * Removed debian/overrides/ for lintian |
---|
1352 | |
---|
1353 | -- Isaac Clerencia <isaac@sindominio.net> Sun, 24 Oct 2004 12:16:39 +0200 |
---|
1354 | |
---|
1355 | moodle (1.4.1-1) unstable; urgency=low |
---|
1356 | |
---|
1357 | * New upstream release, closes: #270855 |
---|
1358 | * /var/lib/moodle is now owned by www-data, closes: #258283 |
---|
1359 | * Added README.Debian with some hints for database setup, |
---|
1360 | closes: #272553, #270851 |
---|
1361 | |
---|
1362 | -- Isaac Clerencia <isaac@sindominio.net> Sat, 2 Oct 2004 00:37:53 +0200 |
---|
1363 | |
---|
1364 | moodle (1.4-1) unstable; urgency=low |
---|
1365 | |
---|
1366 | * New upstream release, closes: #256218, #256219 |
---|
1367 | * Switched to a file in conf.d instead of an include in http.conf |
---|
1368 | * Added DirectoryIndex index.php to apache.conf file, closes: #247554 |
---|
1369 | |
---|
1370 | -- Isaac Clerencia <isaac@sindominio.net> Tue, 7 Sep 2004 22:07:10 +0200 |
---|
1371 | |
---|
1372 | moodle (1.3.3-1) unstable; urgency=low |
---|
1373 | |
---|
1374 | * New upstream release |
---|
1375 | |
---|
1376 | -- Isaac Clerencia <isaac@sindominio.net> Mon, 19 Jul 2004 11:28:48 +0200 |
---|
1377 | |
---|
1378 | moodle (1.3.2-1) unstable; urgency=low |
---|
1379 | |
---|
1380 | * New upstream release |
---|
1381 | |
---|
1382 | -- Isaac Clerencia <isaac@sindominio.net> Mon, 19 Jul 2004 11:16:45 +0200 |
---|
1383 | |
---|
1384 | moodle (1.3.1-1) unstable; urgency=low |
---|
1385 | |
---|
1386 | * New upstream release, closes: #252693 |
---|
1387 | * Added "exec 0<&1" to postinst to fix hang when ucf asks the user |
---|
1388 | |
---|
1389 | -- Isaac Clerencia <isaac@sindominio.net> Fri, 4 Jun 2004 23:45:37 +0200 |
---|
1390 | |
---|
1391 | moodle (1.2.1-3) unstable; urgency=low |
---|
1392 | |
---|
1393 | * Added a choice to use apache-perl in addition to apache and apache-ssl |
---|
1394 | * Changed back priority to Optional, because no longer depends on php4-gd2 |
---|
1395 | |
---|
1396 | -- Isaac Clerencia <isaac@sindominio.net> Thu, 22 Apr 2004 11:32:40 +0200 |
---|
1397 | |
---|
1398 | moodle (1.2.1-2) unstable; urgency=low |
---|
1399 | |
---|
1400 | * Changed depends on php4-gd2 to php4-gd, closes: #243717 |
---|
1401 | |
---|
1402 | -- Isaac Clerencia <isaac@sindominio.net> Tue, 20 Apr 2004 23:16:47 +0200 |
---|
1403 | |
---|
1404 | moodle (1.2.1-1) unstable; urgency=low |
---|
1405 | |
---|
1406 | * New upstream release |
---|
1407 | * Added ucf for better handling of config files |
---|
1408 | * Changed priority to Extra |
---|
1409 | |
---|
1410 | -- Isaac Clerencia <isaac@sindominio.net> Tue, 30 Mar 2004 22:01:33 +0200 |
---|
1411 | |
---|
1412 | moodle (1.1.1-4) unstable; urgency=low |
---|
1413 | |
---|
1414 | * Added French debconf templates translation, closes: #235572 |
---|
1415 | |
---|
1416 | -- Isaac Clerencia <isaac@sindominio.net> Mon, 1 Mar 2004 12:22:03 +0100 |
---|
1417 | |
---|
1418 | moodle (1.1.1-3) unstable; urgency=low |
---|
1419 | |
---|
1420 | * Fixed debconf stuff by adding POTFILES.in, closes: #233114 |
---|
1421 | Thanks to Martin Quirson. |
---|
1422 | * Fixed bug in config generation that caused passwords including '$' |
---|
1423 | broke the autentication |
---|
1424 | * Removed moodle prefix from some debian/ files |
---|
1425 | * Changed depend on debconf to misc:Depends |
---|
1426 | * Updated version for debhelper build-depend to 4.1.13 |
---|
1427 | |
---|
1428 | -- Isaac Clerencia <isaac@sindominio.net> Tue, 17 Feb 2004 23:55:45 +0100 |
---|
1429 | |
---|
1430 | moodle (1.1.1-2) unstable; urgency=low |
---|
1431 | |
---|
1432 | * Now depends on php4-pgsql or php4-mysql not both |
---|
1433 | * Added recommends for postgresql or mysql-serverl |
---|
1434 | * Added documentation dir |
---|
1435 | * Added wget in Depends: and changed cron.d to use wget |
---|
1436 | * Fixed postinst to put the correct protocol in config.php and cron.d/moodle |
---|
1437 | |
---|
1438 | -- Isaac Clerencia <isaac@sindominio.net> Thu, 27 Nov 2003 23:14:11 +0100 |
---|
1439 | |
---|
1440 | moodle (1.1.1-1) unstable; urgency=low |
---|
1441 | |
---|
1442 | * Initial Debian Release, closes: #222475 |
---|
1443 | |
---|
1444 | -- Isaac Clerencia <isaac@sindominio.net> Thu, 27 Nov 2003 23:14:11 +0100 |
---|
1445 | |
---|