[Secure-testing-team] Many security fixes in moodle 1.8.2.dfsg-2
Francois Marier
francois at debian.org
Thu Dec 18 01:52:33 UTC 2008
Hello,
Please disregard my previous email about Moodle 1.8.2.dfsg-1. That package
accidentally introduced a new vulnerability.
We have fixed that one and have gone through all of the Moodle security
advisory to make sure that we have not missed any issues. It turns out we
were missing quite a few. So I have uploaded 1.8.2.dfsg-2 (to unstable)
which fixes all of them:
moodle (1.8.2.dfsg-2) unstable; urgency=high
[ Dan Poltawski ]
* Patch SQL injection bug in hotpot module (MSA-08-0010)
* Fix XSS bug in logged urls (MDL-11414)
* Fix XSS bug in install script (MSA-08-0004)
* Fix insufficient access control in Login as feature (MSA-08-0003)
* Profiles of deleted users were accessible allowing for spam (MSA-08-0015)
* Deficincy in text cleaning functions allowed for XSS (MSA-08-0021)
* Fix CSRF in messaging settings (MSA-08-0023)
* Fix anonymous group creation and html injection (MDL-11759)
* Fix SQL injection bug in mnet (MDL-9288)
* Fix SQL injection bug in restore (MDL-11857)
* Insufficient cleaning of essay questions (MDL-12079)
* Fix insufficient cleaning of PARAM_HOST (MDL-12793)
* Fix XSS bug in logged urls (MDL-11414)
* Fix uncleaned params in wiki (MDL-14806)
[ Francois Marier ]
* Update html2text to prevent code execution attacks (closes: #508909)
-- Francois Marier <francois at debian.org> Wed, 17 Dec 2008 13:37:10 +1300
Please let me know whether you want me to go ahead and request a freeze
exception or whether I should instead upload to the testing security queue.
Note that the upstream source has changed since we had to remove a non-free
library.
Cheers,
Francois
More information about the Secure-testing-team
mailing list