* Fix path to cron (closes: #669229)
* New upstream version: 2.2.2+ (Build: 20120412)
closes: #658865,#664260,#647489,#443949,#441013,#505044,#375290
* Updated Standards-Versions to 3.9.3
* Removing Dan from maintainers (thanks for all your work Dan!)
* Backporting security fixes from Moodle 1.9.17
- MSA-12-00013 DB activtity export does not respect groups
(CVE-2012-1155, closes: #668411)
* Non-maintainer upload.
* Fix pending l10n issues. Debconf translations:
- Danish (Joe Hansen). Closes: #658747
- Dutch; (Jeroen Schot). Closes: #660243
- Brazilian Portuguese (Adriano Rafael Gomes). Closes: #668092
- Italian (Beatrice Torracca). Closes: #668161
* Backporting security fixes from Moodle 1.9.15 and 1.9.16
(closes: #652235)
- MSA-11-0054 Personal information leak
- MSA-11-0045 Potential to masquerade through MNet (CVE-2011-4584)
- MSA-11-0046 Insecure authentication transmission (CVE-2011-4585)
- MSA-11-0047 Possible injection attack in Calendar (CVE-2011-4586)
- MSA-11-0048 Password loss issue (CVE-2011-4587)
- MSA-11-0049 Network restriction ineffective with MNet (CVE-2011-4588)
- MSA-12-0007 Email injection prevention (CVE-2012-0796)
- MSA-12-0006 Additional email address validation (CVE-2012-0795)
- MSA-12-0005 Encryption enhancement (CVE-2012-0794)
- MSA-12-0004 Added profile image security (CVE-2012-0793)
- MSA-12-0003 Added password protection
- MSA-12-0002 Personal information leak, previously MSA-11-0040
(CVE-2011-4308 and CVE-2012-0792)
- MSA-12-0001 Recaptcha transmission consistency issue
* Backporting security fixes from Moodle 1.9.13 and 1.9.14
- MSA-11-0026 Fields in user upload CSV not being escaped (MDL-28360)
- MSA-11-0025 Group names in user upload CSV not being escaped (MDL-28197)
- MSA-11-0024 Recaptcha images were being authenticated
from an older server (MDL-27889) (closes: #638935)
- MSA-11-0020 Continue links in error messages can lead offsite (MDL-27464)
- MSA-11-0038 Database injection protection strengthened (MDL-29033)
- MSA-11-0037 Course section editing injection vulnerability (MDL-28722)
- MSA-11-0036 Messaging refresh vulnerability (MDL-29311)
- MSA-11-0032 MNET SSL validation issue (MDL-29148)
- MSA-11-0031 Forms API constant issue (MDL-23872)
* Make sure that smarty & yui symlinks are correct (closes: 603255,614712)
* Backporting security fixes from Moodle 1.9.11 and 1.9.12
- MSA-11-0002 Cross-site request forgery vulnerability in RSS block (MDL-18839)
- MSA-11-0003 Cross-site scripting vulnerability in tag autocomplete (MDL-25754)
- MSA-11-0008 IMS enterprise enrolment file may disclose sensitive information (MDL-26189)
- MSA-11-0011 Multiple cross-site scripting problems in media filter (MDL-26030)
- MSA-11-0015 Cross Site Scripting through URL encoding (MDL-26966)
- MSA-11-0013 Group/Quiz permissions issue (MDL-25122)
* Non-maintainer upload.
* Fix encoding of Swedish debconf translation.
* Added Romanian translation
* Updated Japanese translation (closes: #596820)
* Backporting security fixes from Moodle 1.9.10 (closes: #601384)
- Updated embedded CAS to 1.1.3
- Added patch for MDL-24523:
clean_text() not filtering text in markdown format
- Added patch for MDL-24810 and upgraded customized HTML Purifier to 4.2.0
- Added patch for MDL-24258:
students can delete their forum posts later than $CFG->maxeditingtime
under certain conditions
- Added patch for MDL-23377:
Can't delete quiz attempts in course without enrolled students
* Enable HTML purifier by default
* Added Janapenese translation (closes: #593808)
* Removed from source swf files without a source code
and added README.source
* Updated bundled HTML purifier library - fix for
CVE-2010-2479 (closes: #593301)
[ Jonathan Wiltshire ]
* Debconf templates and debian/control reviewed by the debian-l10n-
english team as part of the Smith review project. Closes: #588871
* Debconf translation updates:
- Russian (closes: #589247)
- Czech (closes: #589265)
- Swedish (closes: #589270)
- French (closes: #589510)
- German (closes: #590120)
- Spanish (closes: #590449)
- Portugese (closes: #590556)
[ Tomasz Muras ]
* New debconf translation - Polish
* Removed .swf files as non-free (closes: #591201)
* Fixed generation of config.php for postgres (thanks Giles Westwood)
* Fixed JS includes for YUI library (closes: #589612)
* Bumped standards version to 3.9.0
* Moved BSD licenses into copyright (fixes lintian warning)
* Setting DM-Upload-Allowed as agreed with Xavier Oswald <xoswald@debian.org>
* Rewritten debian/rules
* Removed unnecessary usr/share/moodle/update-notifier
* New Upstream Version: 1.9.9
* New upstream fixes CVE-2010-1619 (closes: #585425)
* New upstream fixes MSA-10-0011 (closes: #586280)
[Tomasz Muras]
* New Maintainer (closes: #581229, #574969).
* New Upstream Version (closes: #475535).
* Added information about flvplayer to copyright (closes: #526543).
* phpCAS XSS vulnerability fixed in mainstream Moodle 1.9.8 (closes: #574757).
* Several security issues fixed in upstream (closes: #576189).
* Moodle depends on postgresql or MySQL (closes: #551399).
* Re-written to use dbconfig-common (closes: #302205).
* Updated copyright with two new entires (closes: #526543).
* Drop use of wwwconfig (closes: #389502).
* Package is now not creating Apache config automatically (closes: #555672).
It's up to the user to configure the webserver but package provides the
templates.
* Added "allow from localhost" (closes: #551402).
* Asking for wwwroot during the installation (closes: #302207).
* Removing nusoap as it's not necessary for PHP 5 (closes: #529573).
[Xavier Oswald]
* Add myself as uploader.
* Bump Stadards-Version to 3.8.4.
* debian/copyright: update with DEP-5 format proposal.
* Switch to dpkg-source 3.0 (quilt) format
[Francois Marier]
* Bump debhelper compatibility to 7
* Add a watch file
* debian/control (dependencies)
- Depend on libjs-yui instead of yui (renamed after lenny)
- Add dependency on unzip
- Recommend php5-xmlrpc and aspell
- Suggest clamav
- Demoted mimetex to recommended
* Turn 'dbpersist' on by default in the generated config.php
* Include whitespace warning at the end of generated config.php
* Set the path to du, unzip and zip
* Fix a warning with E_STRICT is turned on
* Improve the fix for log URL filtering as suggested by Steffen Joeris
(MSA-09-0007 / CVE-2009-0500)
* Backport upstream fix for calendar export leakage
(MSA-09-0006 / CVE-2009-0501)
* Delete unused (but vulnerable) Spellchecker plugin to htmlarea
(MSA-09-0005, CVE-2008-5153)
* Hide images of deleted users (MSA-09-0001)
* Fix user pix disclosure (MSA-09-0002)
* Fix XSS vulnerabilities in HTML blocks (MSA-09-0004)
* Fix XSS vulnerabilities in logs (MSA-09-0007)
* Fix CSRF vulnerability in forum code (MSA-09-0008)
[ Dan Poltawski ]
* Patch SQL injection bug in hotpot module (MSA-08-0010)
* Fix XSS bug in logged urls (MDL-11414)
* Fix XSS bug in install script (MSA-08-0004)
* Fix insufficient access control in Login as feature (MSA-08-0003)
* Profiles of deleted users were accessible allowing for spam (MSA-08-0015)
* Deficincy in text cleaning functions allowed for XSS (MSA-08-0021)
* Fix CSRF in messaging settings (MSA-08-0023)
* Fix anonymous group creation and html injection (MDL-11759)
* Fix SQL injection bug in mnet (MDL-9288)
* Fix SQL injection bug in restore (MDL-11857)
* Insufficient cleaning of essay questions (MDL-12079)
* Fix insufficient cleaning of PARAM_HOST (MDL-12793)
* Fix XSS bug in logged urls (MDL-11414)
* Fix uncleaned params in wiki (MDL-14806)
[ Francois Marier ]
* Update html2text to prevent code execution attacks (closes: #508909)
* Replace html2text with a GPL alternative (closes: #507947)
* Fix XSS in the wiki module (CVE-2008-5432, closes: #508593)
* Add Dan Poltawski to the uploaders field
* Adopt orphaned package (closes: #494642)
* Acknowledge security NMU (closes: #489533, #432264)
* Add Vcs-* fields to debian/control
Release-critical and security bugs:
* Depend on smarty instead of using the embedded copy that is shipped
with Moodle (closes: #471158, #488525, #504345)
* Patch security bug in the embedded (and customised) copy of phpmailer
(CVE-2007-3215, closes: #429339, #429190)
* Patch cross-site scripting bug (CVE-2008-3326, closes: #492492)
* Patch snoopy input sanitising (CVE-2008-4796, closes: #504235)
* Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069)
Trivial bug fixes:
* Depend on zip (closes: #408995)
* Add mysql-client as an alternative to postgresql-client
(closes: #417554, #469094)
* Recommend php5-ldap (closes: #425839)
* Delete unnecessary script with bashisms (closes: #489634)
Lintian warnings:
* Bump Standards-Version to 3.8.0
* Add homepage field to debian/control
* Remove cvsignore file
* Remove extra license file
* Depend on yui instead of using an embedded copy
* Non-maintainer upload by the Security Team.
* Fix broken HTML filtering which could be used to perform XSS attacks,
bypass restrictions or possibly execute arbitrary code
(CVE-2008-1502; Closes: #489533).
moodle (1.8.2-1.2ubuntu2) intrepid; urgency=low
* SECURITY UPDATE: arbitrary code execution via multiple vectors.
- Add CVE-2008-1502.dpatch: upstream KSES lib fixes, thanks to Nico Golde.
moodle (1.8.2-1.2ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- Suggest php5-ldap
- Modify Maintainer value to match Debian-Maintainer-Field Spec
- debian/postinst ucf fixes
- drop use of wwwconfig (database code in postinst stolen from mythtv)
* Non-maintainer upload to fix pending l10n issues.
* Debconf translations:
- Japanese. Closes: #413105
- Spanish. Closes: #413779
- German. Closes: #415888
- Dutch. Closes: #425711
- Slovak. Closes: #437511
- Brazilian Portuguese. Closes: #437680
- Finnish. Closes: #468212
- Basque. Closes: #470362
- Galician. Closes: #470430
- Vietnamese. Closes: #470602
- Russian. Closes: #470790
* [Lintian] Fix format of NEWS.Debian
* [Lintian] Move debconf dependency to Pre-Depends as it is used
in the preinst script
* Non-maintainer upload from the Zurich BSP
* Added dependency on postgresql-client (Closes: #431589)
moodle (1.8.2-1ubuntu4) hardy; urgency=low
* debian/postinst: ... except we should explicitly pass --debconf-ok
to ucf, for compatibility with older versions.
moodle (1.8.2-1ubuntu3) hardy; urgency=low
* debian/postinst: Only call db_stop after ucf has been run in
handle_config(), since ucf itself uses debconf; and drop the
"exec 0<&1" workaround which no longer matters. LP: #203844
moodle (1.8.2-1ubuntu2) gutsy; urgency=low
* Package changed to avoid use of wwwconfig; borrowed database setup code
from Ubuntu mythtv package.
moodle (1.8.2-1ubuntu1) gutsy; urgency=low
* Merge from Debian unstable. Remaining Ubuntu changes:
- Depends on postgresql-client
- Suggest php5-ldap
- Modify Maintainer value to match Debian-Maintainer-Field Spec
* New upstream release, fixes security bug, closes: #432264
moodle (1.8.1-1ubuntu1) gutsy; urgency=low
* Merge from debian unstable, remaining changes:
- Depends on postgresql-client
- Suggest php5-ldap
- Set apache2 as default in debian/templates
- Update Maintainer field in debian/control
* New upstream release
* Add php5-curl | php4-curl dependency for the new network features
* No longer depend on php4 and apache 1
moodle (1.7.2-1ubuntu2) gutsy; urgency=low
* Switch back to postgresql-client and postgresql (LP: 110054)
* Suggest php5-ldap (LP: 107713)
moodle (1.7.2-1ubuntu1) gutsy; urgency=low
* Merge from Debian unstable. Remaining Ubuntu changes:
+ debian/control:
- php5 by default.
- Add postgresql-client-8.1 to Depends.
- Update Recommends alternate to postgresql-8.1.
+ debian/templates: Ensure the default corresponds to the install-
time dependencies (apache2).
* Modify Maintainer value to match Debian-Maintainer-Field Spec
* New upstream release
* New upstream release
* New upstream release
moodle (1.6.3-2ubuntu1) feisty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/control:
+ php5 by default.
+ Add postgresql-client-8.1 to Depends.
+ Update Recommends alternate to postgresql-8.1.
- debian/templates: Ensure the default corresponds to the install-
time dependencies (apache2).
* Urgency high as it fixes a security bug and should enter Etch ASAP
* Fix security bug in the forum module (discuss.php)
moodle (1.6.3-1ubuntu1) feisty; urgency=low
* Merge from debian unstable. Remaining Ubuntu changes:
- debian/control:
+ php5 by default.
+ Add postgresql-client-8.1 to Depends.
+ Update Recommends alternate to postgresql-8.1.
- debian/templates: Ensure the default corresponds to the install-
time dependencies (apache2).
* New upstream release
* Urgency high because it fixes a critical security hole
* New upstream release, closes: #390294, critical security hole
* Notify the user if the selected server isn't installed, select apache2
by default instead of apache, closes: #389806
* Add a configuration section for php5 in apache.conf, closes: #387609
moodle (1.6.2-1ubuntu1.1) edgy; urgency=low
* SECURITY UPDATE: SQL injection vulnerability
* Add '01_sql-injection-fix.dpatch': Correctly escape tag options.
* References:
CVE-2006-5219
http://cvs.moodle.com/blog/index.php?r1=1.18.2.2&r2=1.18.2.3
moodle (1.6.2-1ubuntu1) edgy; urgency=low
* Merge from Debian unstable. The following Ubuntu changes remain:
- debian/control:
+ Apply patch from Ubuntu #59472 to use php5
(Closes Ubuntu: #59472),
+ Add postgresql-client-8.1 to Depends (Closes Ubuntu: #51813),
+ Update Recommends alternate to postgresql-8.1,
- debian/templates: Ensure the default corresponds to the install-
time dependencies (apache2) so we can avoid the mess that was
worked around in dapper-security.
* New upstream release, closes: #387177
* Debconf translation updates/additions:
* Czech, closes: #371834
* French, closes: 372713
* Portuguese, closes: #381194
* Install config-dist.php in the documentation directory, closes: #386476
* New upstream release
* Moodle neither uses nor plans to use ADODB_Pager, so it's not affected by
#360396, but include patch for it anyway, just in case somebody decides to
use it out of the blue
moodle (1.6-2ubuntu1) edgy; urgency=low
[ Ubuntu Merge-o-Matic ]
* Merge from debian unstable.
* Fix two problems in preinst, thanks to Jordi Mallach's workmate
* Ship cron file in package instead of generating it at postinst
moodle (1.6-1ubuntu1) edgy; urgency=low
* Merge from debian unstable:
- Use Debian Sid's packaging save in debian/templates where we need
to make sure the default corresponds to the install-time
dependencies (apache2) so we can avoid the mess that was worked
around in dapper-security.
* New upstream release, needs newer PHP version, so updated versioned
dependencies
* New upstream release
* Depend on ucf
* Move debhelper to Build-Depends as it's used in the clean target of
debian/rules
* Add colons to debconf template short descriptions
* Bumped Standard-Versions to 3.7.2, no changes needed
* New package created from 1.5.3+ branch, which includes several bugfixes
* Allow moodle to be installed using php5 instead of php4, closes: #351298
* Changed apache | httpd to apache2-mpm-prefork | httpd
* Throw cronjob output to /dev/null, closes: #349971
moodle (1.5.3+20060108-1ubuntu1) dapper; urgency=low
* Resynchronise with Debian.
* New package created from 1.5.3+ branch, which closes: #346509, a
security bug in the ADODB code included in Moodle
* Check for /usr/share/moodle/admin/cron.php existence in the cronjob,
closes: #342304
* Use php4-cli instead of wget to run the cronjob, closes: #345930
moodle (1.5.3-1ubuntu1) dapper; urgency=low
* Resynchronise with Debian.
* New upstream release
moodle (1.5.2-1ubuntu1) breezy; urgency=low
* Resync with debian (security update)
* changed dependencys to php5
* changed apache dependency to apache2
* References
CAN-2005-2247
* New upstream release
* New upstream release
* New upstream release
* Added Vietnamese debconf translation, closes: #312961
* Urgency high as this upload closes a security bug
* Remove admin/delete.php on installation, fixes an important security bug
* Use find | xargs instead of rm to remove old sessions, closes: #300266
* Urgency high as it closes a release critical bug and fixes some security
problems
* New upstream release
* Replaced non-free fonts with free fonts for some languages in the original
tarball, closes: #298938
* Set perms for /etc/moodle/config.php to 640 instead of 644, closes: #297237
* Use new option $CFG->respectsessionsettings = true; to clean sessions and
remove old sessions from /var/lib/moodle/sessions: closes: #295124
* Added cs.po debconf template translation, closes: #298208
* Remove /var/lib/moodle/ when purging
* Urgency high as upstream release fixes several security bugs
* New upstream release
* Write database creation errors and warn the user about it,
closes: #285842, #285842
* Create user before creating database in postinst
* New upstream release
* Urgency high, as this upstream release closes several security bugs
* Added some extra information to README.Debian, thanks to Kevin Coyner
* Added apache2 as a choice for autoconfiguration, closes: #275444
* Urgency medium, as it fixes the "default username" problem, which is a
www-config bug but affects lots of moodle users
* Use moodle as default database username, currently uses www-data which
causes www-config to fail to create the database
* Enabled Tex math filter and added mimetex in Depends:
* Removed an extra line from README.Debian
* Removed debian/overrides/ for lintian
* New upstream release, closes: #270855
* /var/lib/moodle is now owned by www-data, closes: #258283
* Added README.Debian with some hints for database setup,
closes: #272553, #270851
* New upstream release, closes: #256218, #256219
* Switched to a file in conf.d instead of an include in http.conf
* Added DirectoryIndex index.php to apache.conf file, closes: #247554
* New upstream release
* New upstream release
* New upstream release, closes: #252693
* Added "exec 0<&1" to postinst to fix hang when ucf asks the user
* Added a choice to use apache-perl in addition to apache and apache-ssl
* Changed back priority to Optional, because no longer depends on php4-gd2
* Changed depends on php4-gd2 to php4-gd, closes: #243717
* New upstream release
* Added ucf for better handling of config files
* Changed priority to Extra
* Added French debconf templates translation, closes: #235572
* Fixed debconf stuff by adding POTFILES.in, closes: #233114
Thanks to Martin Quirson.
* Fixed bug in config generation that caused passwords including '$'
broke the autentication
* Removed moodle prefix from some debian/ files
* Changed depend on debconf to misc:Depends
* Updated version for debhelper build-depend to 4.1.13
* Now depends on php4-pgsql or php4-mysql not both
* Added recommends for postgresql or mysql-serverl
* Added documentation dir
* Added wget in Depends: and changed cron.d to use wget
* Fixed postinst to put the correct protocol in config.php and cron.d/moodle
* Initial Debian Release, closes: #222475
Made by Andrew Pollock