[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please, accept Moodle 1.4.4-3 in Sarge

Moodle 1.4.4 has an important security bug in a "hidden" utility.

The file delete.php is an easy way to completely delete your Moodle data, but 
*as it is now* it can be used by a non-privileged attacker.

The easiest proposed fix is to just don't ship the file with Moodle, as it's a 
"hidden", not-usually-used feature.

I've already uploaded 1.4.4.dfsg.1-3 to unstable to deal with this issue.

Please, accept it in Sarge.

Files in first .deb but not in second

The following lines in the control files differ (wdiff output format):
Version: [-1.4.4.dfsg.1-2-] {+1.4.4.dfsg.1-3+}
Installed-Size: [-57840-] {+57836+}

diff -u moodle-1.4.4.dfsg.1/debian/changelog 
--- moodle-1.4.4.dfsg.1/debian/changelog
+++ moodle-1.4.4.dfsg.1/debian/changelog
@@ -1,3 +1,10 @@
+moodle (1.4.4.dfsg.1-3) unstable; urgency=high
+  * Urgency high as this upload closes a security bug
+  * Remove admin/delete.php on installation, fixes an important security bug
+ -- Isaac Clerencia <isaac@debian.org>  Mon, 30 May 2005 20:45:33 +0200
 moodle (1.4.4.dfsg.1-2) unstable; urgency=low

   * Use find | xargs instead of rm to remove old sessions, closes: #300266
diff -u moodle-1.4.4.dfsg.1/debian/rules moodle-1.4.4.dfsg.1/debian/rules
--- moodle-1.4.4.dfsg.1/debian/rules
+++ moodle-1.4.4.dfsg.1/debian/rules
@@ -49,6 +49,7 @@
        chmod 755 
        chmod 755 debian/moodle/usr/share/moodle/filter/algebra/algebra2tex.pl
        rm -f debian/moodle/usr/share/moodle/filter/tex/*mimetex*
+       rm -f debian/moodle/usr/share/moodle/admin/delete.php


Best regards

Isaac Clerencia at Warp Networks, http://www.warp.es
Work: <isaac@warp.es>   | Debian: <isaac@debian.org>

Attachment: pgpjPw0lixaHX.pgp
Description: PGP signature

Reply to: