1
moodle (1.8.2-1.2ubuntu2.1) intrepid-security; urgency=low
3
* SECURITY UPDATE: backported upstream fixes from Moodle 1.8.9 and earlier.
4
- CVE-2008-4796_snoopy.dpatch: did not escape shell characters when
5
using https (MSA-09-0003).
6
- msa090006_CVE-2009-0501_calendar.dpatch: do not expose usernames via
7
calendar export errors.
8
- CVE-2007-3215_phpmailer.dpatch: escape sender email address when
10
- html2text-update.dpatch: html cleaning improved (MSA-08-0026,
12
- CVE-2008-5432_wiki.dpatch: escape wiki titles in recent changes
14
- msa080010_hotpot.dpatch: block SQL injections in HotPot reports
15
(MSA-08-0010, CVE-2008-6124).
16
- msa080004_install.dpatch: stop XSS in unconfigured installs.
17
- msa08003_login-as.dpatch: correctly validate permissions when attempting
19
- msa080015_deleted-user-profiles.dpatch: do not display deleted user
21
- msa080021_text-cleaning.dpatch: stop XSS in certain string format
23
- msa080023_message-csrf.dpatch: require sessionkey for instant messages
25
- mdl11759_group-creation.dpatch: stop XSS in group creation.
26
- MDL-9288_mnet.dpatch: correct escape users names in mnet.
27
- MDL-11857_restore.dpatch: stop SQL injection from restore.
28
- mdl12079_essayquestions.dpatch: block XSS in essay questions.
29
- mdl12793_PARAM_HOST.dpatch: block XSS in host parameter.
30
- mdl14806_wiki-params.dpatch: block XSS in wiki parameters.
31
- msa090001.dpatch: allow removal of deleted-user pictures.
32
- msa090002.dpatch: block access to deleted-user pictures.
33
- msa090004.dpatch: stop XSS in "login as" (CVE-2009-0502).
34
- msa090007{,_cleanup-prep}.dpatch: add more input validation to
35
prevent XSS via inputs (CVE-2009-0500).
36
- msa090008.dpatch: add session key to forum actions to stop CSRF
38
- CVE-2009-1171.dpatch: blacklist TeX functions that allow arbitrary file
39
inclusion (MSA-09-0009, CVE-2009-1171).
40
* SECURITY UPDATE: Smarty template processor security fixes.
41
- smarty_dollar_sign.dpatch: stop php execution via templates
42
(CVE-2008-4810, CVE-2008-4811).
43
- smarty_math_backticks.dpatch: stop backtick processing in math
44
expressions (CVE-2009-1669).
45
* SECURITY UPDATE: remove unsafe and unused SpellChecker extension.
46
- debian/rules: remove SpellChecker (CVE-2008-5153).
48
-- Kees Cook <kees@ubuntu.com> Fri, 19 Jun 2009 16:50:43 -0700
1
50
moodle (1.8.2-1.2ubuntu2) intrepid; urgency=low
3
52
* SECURITY UPDATE: arbitrary code execution via multiple vectors.