Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
On 01/17/2013 10:15 AM, Didier 'OdyX' Raboud wrote:
Please include the CVEs in the changelog entry, as done for the latest entry:
they are important for security problems tracking. They are available in the
mail I forwarded to you in private. (CVE-2012-6098 to CVE-2012-6106).
Hi Didier,
CVE numbers added, new changelog entry copied below for your
convenience. MSA-13-0001 has no CVE assigned. Newest package available at:
dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc
moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low
* Backport security issues from upstream Moodle 2.2.7.
* MSA-13-0009: MDL-37467 - blog posts available via RSS after
blogging disabled
Fixes CVE-2012-6105
* MSA-13-0007: MDL-36600 - course message sending CSRF
Fixes CVE-2012-6103
* MSA-13-0001: MDL-37283 - lack of sanitization for google spellchecker
* MSA-13-0003: MDL-36977 - moodle backup paths not validated properly
Fixes CVE-2012-6099
* MSA-13-0002: MDL-27619 - teachers can set outcomes to be standard
when re-editing
Fixes CVE-2012-6098
* MSA-13-0004: MDL-33340 - activity report showing lastaccess even
if field hidden
Fixes CVE-2012-6100
* MSA-13-0008: MDL-36620 - guest users can access RSS feed for site
level blogs
Fixes CVE-2012-6104
* MSA-13-0005: MDL-35991 - open redirect issues
Fixes CVE-2012-6101
-- Tomasz Muras <nexor1984@gmail.com> Tue, 15 Jan 2013 20:43:50 +0100
Please also prepare an update of Moodle 2.2.6+ for unstable to ensure that
unstable gets the fixes targetted for Wheezy too. As unstable already diverged
from the wheezy version, I think updating the unstable packaging to the latest
2.2 version is safe. I will also sponsor this version (after review, of
course).
I want to move to the latest 2.4 in unstable, I'm just waiting for
wheezy to be released to continue packaging work. I needed 2.2 in stable
only because the upgrade path is 1.9 -> 2.2 -> 2.4.
cheers,
Tomek
Reply to: