[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#695804: marked as done (unblock: moodle/2.2.3.dfsg-2.6~wheezy1 pre-approval CVE-2012-5583)

Your message dated Tue, 01 Jan 2013 17:20:10 +0000
with message-id <1357060810.15480.26.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#695804: unblock: moodle/2.2.3.dfsg-2.6~wheezy0
has caused the Debian Bug report #695804,
regarding unblock: moodle/2.2.3.dfsg-2.6~wheezy1 pre-approval CVE-2012-5583
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
695804: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695804
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package moodle
I am about to get new version of the package uploaded to testing-proposed-updates. The new version fixes a security issue that is forwarded but not yet fixed upstream.
diff -Nru moodle-2.2.3.dfsg/debian/changelog moodle-2.2.3.dfsg/debian/changelog 
--- moodle-2.2.3.dfsg/debian/changelog	2012-11-16 09:07:18.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/changelog	2012-12-12 19:19:22.000000000 +0100
@@ -1,3 +1,11 @@
+moodle (2.2.3.dfsg-2.6~wheezy1) testing-proposed-updates; urgency=low
+
+  * Fix possible security issue for curl in 3-rd party libraries:
+    * phpCAS (CVE-2012-5583)
+    * amazon-s3-php-class
+
+ -- Tomasz Muras <nexor1984@gmail.com>  Tue, 27 Nov 2012 23:15:45 +0100
+
 moodle (2.2.3.dfsg-2.6~wheezy0) testing-proposed-updates; urgency=low

   * Re-upload -2.6 towards Wheezy.
diff -Nru moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch --- moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch 1970-01-01 01:00:00.000000000 +0100 +++ moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch 2012-12-12 19:20:03.000000000 +0100 
@@ -0,0 +1,49 @@
+From: Tomasz Muras <tomasz@muras.eu>
+Last-Update: 2012-12-12
+Bug: http://tracker.moodle.org/browse/MDL-36818
+Bug-amazon-s3-php-class: https://github.com/tpyo/amazon-s3-php-class/pull/36 
+Bug-phpCAS: https://github.com/Jasig/phpCAS/pull/58
+Forwarded: yes
+Description: Fix the value of CURLOPT_SSL_VERIFYHOST option.
+ Wrong use of CURLOPT_SSL_VERIFYHOST is a potential security issue.
+ The bug was reported by Alessandro Ghedini <ghedo@debian.org>, patch
+ created by Tomasz Muras and forwarded to Moodle and Moodle's upstream -
+ amazon-s3-php-class and phpCAS. There is no Debian bug or CVE issued yet
+ but Debian Security Team has been notified. CVE for phpCAS is CVE-2012-5583. 
+ The bug is not fixed in Moodle upstream yet.
+
+diff --git a/auth/cas/CAS/CAS/client.php b/auth/cas/CAS/CAS/client.php
+index 74d6893..d5c4212 100644
+--- a/auth/cas/CAS/CAS/client.php
++++ b/auth/cas/CAS/CAS/client.php
+@@ -2160,7 +2160,7 @@ class CASClient
+ 		if ($this->_cas_server_cert != '' && $this->_cas_server_ca_cert != '') {
+ // This branch added by IDMS. Seems phpCAS implementor got a bit confused about the curl options CURLOPT_SSLCERT and CURLOPT_CAINFO 
+ 			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+-			curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
++			curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+ 			curl_setopt($ch, CURLOPT_SSLCERT, $this->_cas_server_cert);
+ 			curl_setopt($ch, CURLOPT_CAINFO, $this->_cas_server_ca_cert);
+ 			curl_setopt($ch, CURLOPT_VERBOSE, '1');
+@@ -2172,7 +2172,7 @@ class CASClient
+ 			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+ 			curl_setopt($ch, CURLOPT_CAINFO, $this->_cas_server_ca_cert);
+ 		} else {
+-			curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
++			curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+ 			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+ 		}
+ 		
+diff --git a/repository/s3/S3.php b/repository/s3/S3.php
+index dadfb5a..b5a11b6 100644
+--- a/repository/s3/S3.php
++++ b/repository/s3/S3.php
+@@ -1140,7 +1140,7 @@ final class S3Request {
+ 		curl_setopt($curl, CURLOPT_USERAGENT, 'S3/php');
+
+ 		if (S3::$useSSL) {
+-			curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);
++			curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
+ 			curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);
+ 		}
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/series moodle-2.2.3.dfsg/debian/patches/series --- moodle-2.2.3.dfsg/debian/patches/series 2012-11-10 16:09:16.000000000 +0100 +++ moodle-2.2.3.dfsg/debian/patches/series 2012-11-29 18:00:57.000000000 +0100 
@@ -18,3 +18,4 @@
 0018-MDL-34448-mod-data-Fixing-separate-groups-viewing-al.patch
 0019-MDL-33791-Portfolio-Fixed-security-issue-with-passin.patch
 0020-MDL-35558-mod_data-Show-only-own-entries-while-there.patch
+0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch


unblock moodle/2.2.3.dfsg-2.6~wheezy1


Tomasz Muras

--- End Message ---
--- Begin Message --- 
On Sun, 2012-12-30 at 12:38 +0000, Adam D. Barratt wrote:
> On Wed, 2012-12-12 at 21:39 +0100, Tomasz Muras wrote:
> 
> > +moodle (2.2.3.dfsg-2.6~wheezy1) testing-proposed-updates; urgency=low
> > +
> > +  * Fix possible security issue for curl in 3-rd party libraries:
> 
> s/3-rd/3rd/
> 
> > +    * phpCAS (CVE-2012-5583)
> > +    * amazon-s3-php-class
> 
> Please go ahead; thanks.

Approved.

Regards,

Adam

--- End Message ---
Reply to: