Moodle 1.4.4 has an important security bug in a "hidden" utility. The file delete.php is an easy way to completely delete your Moodle data, but *as it is now* it can be used by a non-privileged attacker. The easiest proposed fix is to just don't ship the file with Moodle, as it's a "hidden", not-usually-used feature. I've already uploaded 1.4.4.dfsg.1-3 to unstable to deal with this issue. Please, accept it in Sarge. debdiff ------- Files in first .deb but not in second ------------------------------------- /usr/share/moodle/admin/delete.php The following lines in the control files differ (wdiff output format): ---------------------------------------------------------------------- Version: [-1.4.4.dfsg.1-2-] {+1.4.4.dfsg.1-3+} Installed-Size: [-57840-] {+57836+} interdiff --------- diff -u moodle-1.4.4.dfsg.1/debian/changelog moodle-1.4.4.dfsg.1/debian/changelog --- moodle-1.4.4.dfsg.1/debian/changelog +++ moodle-1.4.4.dfsg.1/debian/changelog @@ -1,3 +1,10 @@ +moodle (1.4.4.dfsg.1-3) unstable; urgency=high + + * Urgency high as this upload closes a security bug + * Remove admin/delete.php on installation, fixes an important security bug + + -- Isaac Clerencia <isaac@debian.org> Mon, 30 May 2005 20:45:33 +0200 + moodle (1.4.4.dfsg.1-2) unstable; urgency=low * Use find | xargs instead of rm to remove old sessions, closes: #300266 diff -u moodle-1.4.4.dfsg.1/debian/rules moodle-1.4.4.dfsg.1/debian/rules --- moodle-1.4.4.dfsg.1/debian/rules +++ moodle-1.4.4.dfsg.1/debian/rules @@ -49,6 +49,7 @@ chmod 755 debian/moodle/usr/share/moodle/mod/wiki/ewiki/fragments/mkhuge chmod 755 debian/moodle/usr/share/moodle/filter/algebra/algebra2tex.pl rm -f debian/moodle/usr/share/moodle/filter/tex/*mimetex* + rm -f debian/moodle/usr/share/moodle/admin/delete.php dh_installdebconf dh_link Best regards -- Isaac Clerencia at Warp Networks, http://www.warp.es Work: <isaac@warp.es> | Debian: <isaac@debian.org>
Attachment:
pgpjPw0lixaHX.pgp
Description: PGP signature