Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Control: retitle -1 tpu: package moodle/2.2.3.dfsg-2.6~wheezy2
(CC'ing the security team for information)
Hi Thomasz, and thanks for this upload proposal,
Le mardi, 15 janvier 2013 22.35:54, Tomasz Muras a écrit :
> Please unblock package moodle
>
> I am about to get new version of the package uploaded to
> testing-proposed-updates. The new version fixes a security issues from
> upstream release.
I will sponsor this upload once and if it gets accepted by the release team.
> diff -Nru moodle-2.2.3.dfsg/debian/changelog
> moodle-2.2.3.dfsg/debian/changelog
> --- moodle-2.2.3.dfsg/debian/changelog 2012-12-31 18:26:26.000000000 +0100
> +++ moodle-2.2.3.dfsg/debian/changelog 2013-01-15 22:29:57.000000000 +0100
> @@ -1,3 +1,17 @@
> +moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low
> +
> + * Backport security issues from upstream Moodle 2.2.7.
> + * MSA-13-0009: MDL-37467 - blog posts available via RSS after
> blogging disabled
> + * MSA-13-0007: MDL-36600 - course message sending CSRF
> + * MSA-13-0001: MDL-37283 - lack of sanitization for google
> spellchecker + * MSA-13-0003: MDL-36977 - moodle backup paths not
> validated properly + * MSA-13-0002: MDL-27619 - teachers can set
> outcomes to be standard when re-editing
> + * MSA-13-0004: MDL-33340 - activity report showing lastaccess even
> if field hidden
> + * MSA-13-0008: MDL-36620 - guest users can access RSS feed for site
> level blogs
> + * MSA-13-0005: MDL-35991 - open redirect issues
> +
> + -- Tomasz Muras <nexor1984@gmail.com> Tue, 15 Jan 2013 20:43:50 +0100
> +
Please include the CVEs in the changelog entry, as done for the latest entry:
they are important for security problems tracking. They are available in the
mail I forwarded to you in private. (CVE-2012-6098 to CVE-2012-6106).
Please also prepare an update of Moodle 2.2.6+ for unstable to ensure that
unstable gets the fixes targetted for Wheezy too. As unstable already diverged
from the wheezy version, I think updating the unstable packaging to the latest
2.2 version is safe. I will also sponsor this version (after review, of
course).
Cheers,
OdyX
Reply to: