Moodle 1.4.4 has an important security bug in a "hidden" utility.
The file delete.php is an easy way to completely delete your Moodle data, but
*as it is now* it can be used by a non-privileged attacker.
The easiest proposed fix is to just don't ship the file with Moodle, as it's a
"hidden", not-usually-used feature.
I've already uploaded 1.4.4.dfsg.1-3 to unstable to deal with this issue.
Please, accept it in Sarge.
debdiff
-------
Files in first .deb but not in second
-------------------------------------
/usr/share/moodle/admin/delete.php
The following lines in the control files differ (wdiff output format):
----------------------------------------------------------------------
Version: [-1.4.4.dfsg.1-2-] {+1.4.4.dfsg.1-3+}
Installed-Size: [-57840-] {+57836+}
interdiff
---------
diff -u moodle-1.4.4.dfsg.1/debian/changelog
moodle-1.4.4.dfsg.1/debian/changelog
--- moodle-1.4.4.dfsg.1/debian/changelog
+++ moodle-1.4.4.dfsg.1/debian/changelog
@@ -1,3 +1,10 @@
+moodle (1.4.4.dfsg.1-3) unstable; urgency=high
+
+ * Urgency high as this upload closes a security bug
+ * Remove admin/delete.php on installation, fixes an important security bug
+
+ -- Isaac Clerencia <isaac@debian.org> Mon, 30 May 2005 20:45:33 +0200
+
moodle (1.4.4.dfsg.1-2) unstable; urgency=low
* Use find | xargs instead of rm to remove old sessions, closes: #300266
diff -u moodle-1.4.4.dfsg.1/debian/rules moodle-1.4.4.dfsg.1/debian/rules
--- moodle-1.4.4.dfsg.1/debian/rules
+++ moodle-1.4.4.dfsg.1/debian/rules
@@ -49,6 +49,7 @@
chmod 755
debian/moodle/usr/share/moodle/mod/wiki/ewiki/fragments/mkhuge
chmod 755 debian/moodle/usr/share/moodle/filter/algebra/algebra2tex.pl
rm -f debian/moodle/usr/share/moodle/filter/tex/*mimetex*
+ rm -f debian/moodle/usr/share/moodle/admin/delete.php
dh_installdebconf
dh_link
Best regards
--
Isaac Clerencia at Warp Networks, http://www.warp.es
Work: <isaac@warp.es> | Debian: <isaac@debian.org>
Attachment:
pgpjPw0lixaHX.pgp
Description: PGP signature