Comment 11 for bug 234609

This bug was fixed in the package moodle - 1.9.4.dfsg-0ubuntu1

---------------
moodle (1.9.4.dfsg-0ubuntu1) jaunty; urgency=low

  * Merge with Debian git (Closes LP: #322961, #239481, #334611):
    - use Ubuntu's smarty lib directory for linking
    - use internal yui library
    - add update-notifier support back in

  [Matt Oquist]
    * renamed prerm script
    * significantly rewrote postinst and other maintainer scripts to improve
      user experience and package maintainability
      (Closes LP: #225662, #325450, #327843, #303078, #234609)

moodle (1.9.4.dfsg-1) UNRELEASED; urgency=low

  * New Upstream Version (closes: #475535, #514284, #515823)
    (added notes/ and tag/ to debian/install)
  * Merge with Ubuntu:
    - drop use of wwwconfig (closes: #389502, #302205)
    - debian/postinst: ucf fixes (fixes a hang)

  * Remove preinst (no more direct upgrades from sarge)
  * Remove PHP4 support from the Apache config file we provide
  * Drop support for apache 1.x and remove from debconf
  * Add swedish debconf translation (closes: #511202)

  * Bump debhelper compatibility to 7
  * Add lintian overrides for known customised libraries
  * Add new license files to delete (lintian warning)
  * Compress the deb with bzip2
  * Add a watch file
  * Update copyright file

  Dependencies:
  * Depend on libjs-yui instead of yui (renamed after lenny)
  * Add dependency on unzip
  * Recommend php5-xmlrpc and aspell
  * Suggest clamav
  * Demoted mimetex to recommended

  Generated config:
  * Turn 'dbpersist' on by default in the generated config.php
  * Include whitespace warning at the end of generated config.php
  * Set the path to du, unzip and zip

moodle (1.8.2.dfsg-4) unstable; urgency=high

  * Improve the fix for log URL filtering as suggested by Steffen Joeris
    (MSA-09-0007 / CVE-2009-0500)
  * Backport upstream fix for calendar export leakage
    (MSA-09-0006 / CVE-2009-0501)

moodle (1.8.2.dfsg-3) unstable; urgency=high

  * Delete unused (but vulnerable) Spellchecker plugin to htmlarea
    (MSA-09-0005, CVE-2008-5153)
  * Hide images of deleted users (MSA-09-0001)
  * Fix user pix disclosure (MSA-09-0002)
  * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004)
  * Fix XSS vulnerabilities in logs (MSA-09-0007)
  * Fix CSRF vulnerability in forum code (MSA-09-0008)

moodle (1.8.2.dfsg-2) unstable; urgency=high

  [ Dan Poltawski ]
  * Patch SQL injection bug in hotpot module (MSA-08-0010)
  * Fix XSS bug in logged urls (MDL-11414)
  * Fix XSS bug in install script (MSA-08-0004)
  * Fix insufficient access control in Login as feature (MSA-08-0003)
  * Profiles of deleted users were accessible allowing for spam (MSA-08-0015)
  * Deficincy in text cleaning functions allowed for XSS (MSA-08-0021)
  * Fix CSRF in messaging settings (MSA-08-0023)
  * Fix anonymous group creation and html injection (MDL-11759)
  * Fix SQL injection bug in mnet (MDL-9288)
  * Fix SQL injection bug in restore (MDL-11857)
  * Insufficient cleaning of essay questions (MDL-12079)
  * Fix insufficient cleaning of PARAM_HOST (MDL-12793)
  * Fix XSS bug in logged urls (MDL-11414)
  * Fix uncleaned params in wiki (MDL-14806)

  [ Francois Marier ]
  * Update html2text to prevent code execution attacks (closes: #508909)

moodle (1.8.2.dfsg-1) unstable; urgency=high

  * Replace html2text with a GPL alternative (closes: #507947)
  * Fix XSS in the wiki module (CVE-2008-5432, closes: #508593)
  * Add Dan Poltawski to the uploaders field

moodle (1.8.2-2) unstable; urgency=high

  * Adopt orphaned package (closes: #494642)
  * Acknowledge security NMU (closes: #489533, #432264)
  * Add Vcs-* fields to debian/control

  Release-critical and security bugs:

  * Depend on smarty instead of using the embedded copy that is shipped
    with Moodle (closes: #471158, #488525, #504345)
  * Patch security bug in the embedded (and customised) copy of phpmailer
    (CVE-2007-3215, closes: #429339, #429190)
  * Patch cross-site scripting bug (CVE-2008-3326, closes: #492492)
  * Patch snoopy input sanitising (CVE-2008-4796, closes: #504235)
  * Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069)

  Trivial bug fixes:

  * Depend on zip (closes: #408995)
  * Add mysql-client as an alternative to postgresql-client
    (closes: #417554, #469094)
  * Recommend php5-ldap (closes: #425839)
  * Delete unnecessary script with bashisms (closes: #489634)

  Lintian warnings:

  * Bump Standards-Version to 3.8.0
  * Add homepage field to debian/control
  * Remove cvsignore file
  * Remove extra license file
  * Depend on yui instead of using an embedded copy

moodle (1.8.2-1.3) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix broken HTML filtering which could be used to perform XSS attacks,
    bypass restrictions or possibly execute arbitrary code
    (CVE-2008-1502; Closes: #489533).

 -- Jordan Mantha <email address hidden> Wed, 25 Feb 2009 15:16:22 -0800