merge moodle 1.8.2.dfsg-3

1.8.2.dfsg-3 available in Debian repositories:

Delete unused (but vulnerable) Spellchecker plugin to htmlarea
     (MSA-09-0005, CVE-2008-5153)
   * Hide images of deleted users (MSA-09-0001)
   * Fix user pix disclosure (MSA-09-0002)
   * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004)
   * Fix XSS vulnerabilities in logs (MSA-09-0007)
   * Fix CSRF vulnerability in forum code (MSA-09-0008)

http://packages.debian.org/lenny/moodle

Hello,

A team of us (upstream moodle developers) have recently taken on the orphaned Moodle package in Debian. There have been a of fixes since you last merged. I just linked all the CVE's I could, although there are some further ones which were assigned yesterday which are fixed by 1.8.2.dfsg-3:

CVE-2009-0499 (MSA-09-0008)
CVE-2009-0500 (MSA-09-0007)
CVE-2009-0502 (MSA-09-0004)

Please let me know of I can be of assistance.

Dan Poltawski

Dan,
Thanks for taking on the Debian packaging, that's really awesome. I see you're using git for the Debian pacakging, do you have a mailing list I can contact you guys? I'd like to talk about perhaps getting some better Debian/Ubuntu collaboration going with moodle, especially concerning changes we've made, embedded libraries, and security coordination.

-Jordan

On Tue, Feb 10, 2009 at 06:36:46PM -0000, Jordan Mantha wrote:
> Dan,
> Thanks for taking on the Debian packaging, that's really awesome. I see you're using git for the Debian pacakging, do you have a mailing list I can contact you guys? I'd like to talk about perhaps getting some better Debian/Ubuntu collaboration going with moodle, especially concerning changes we've made, embedded libraries, and security coordination.

Hi Jordan,

Sure! We are currently using the mailing list:
<email address hidden>

cheers,

Dan

moodle (1.8.2.dfsg-4) available in Debian (sid) repositories:

 moodle (1.8.2.dfsg-4) unstable; urgency=high

   * Improve the fix for log URL filtering as suggested by Steffen Joeris
     (MSA-09-0007 / CVE-2009-0500)
   * Backport upstream fix for calendar export leakage
     (MSA-09-0006 / CVE-2009-0501)

 -- Francois Marier <francois(at)debian.org> Thu, 12 Feb 2009 17:27:07 +1300

http://packages.debian.org/sid/moodle

This bug was fixed in the package moodle - 1.9.4.dfsg-0ubuntu1

---------------
moodle (1.9.4.dfsg-0ubuntu1) jaunty; urgency=low

  * Merge with Debian git (Closes LP: #322961, #239481, #334611):
    - use Ubuntu's smarty lib directory for linking
    - use internal yui library
    - add update-notifier support back in

  [Matt Oquist]
    * renamed prerm script
    * significantly rewrote postinst and other maintainer scripts to improve
      user experience and package maintainability
      (Closes LP: #225662, #325450, #327843, #303078, #234609)

moodle (1.9.4.dfsg-1) UNRELEASED; urgency=low

  * New Upstream Version (closes: #475535, #514284, #515823)
    (added notes/ and tag/ to debian/install)
  * Merge with Ubuntu:
    - drop use of wwwconfig (closes: #389502, #302205)
    - debian/postinst: ucf fixes (fixes a hang)

  * Remove preinst (no more direct upgrades from sarge)
  * Remove PHP4 support from the Apache config file we provide
  * Drop support for apache 1.x and remove from debconf
  * Add swedish debconf translation (closes: #511202)

  * Bump debhelper compatibility to 7
  * Add lintian overrides for known customised libraries
  * Add new license files to delete (lintian warning)
  * Compress the deb with bzip2
  * Add a watch file
  * Update copyright file

  Dependencies:
  * Depend on libjs-yui instead of yui (renamed after lenny)
  * Add dependency on unzip
  * Recommend php5-xmlrpc and aspell
  * Suggest clamav
  * Demoted mimetex to recommended

  Generated config:
  * Turn 'dbpersist' on by default in the generated config.php
  * Include whitespace warning at the end of generated config.php
  * Set the path to du, unzip and zip

moodle (1.8.2.dfsg-4) unstable; urgency=high

  * Improve the fix for log URL filtering as suggested by Steffen Joeris
    (MSA-09-0007 / CVE-2009-0500)
  * Backport upstream fix for calendar export leakage
    (MSA-09-0006 / CVE-2009-0501)

moodle (1.8.2.dfsg-3) unstable; urgency=high

  * Delete unused (but vulnerable) Spellchecker plugin to htmlarea
    (MSA-09-0005, CVE-2008-5153)
  * Hide images of deleted users (MSA-09-0001)
  * Fix user pix disclosure (MSA-09-0002)
  * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004)
  * Fix XSS vulnerabilities in logs (MSA-09-0007)
  * Fix CSRF vulnerability in forum code (MSA-09-0008)

moodle (1.8.2.dfsg-2) unstable; urgency=high

  [ Dan Poltawski ]
  * Patch SQL injection bug in hotpot module (MSA-08-0010)
  * Fix XSS bug in logged urls (MDL-11414)
  * Fix XSS bug in install script (MSA-08-0004)
  * Fix insufficient access control in Login as feature (MSA-08-0003)
  * Profiles of deleted users were accessible allowing for spam (MSA-08-0015)
  * Deficincy in text cleaning functions allowed for XSS (MSA-08-0021)
  * Fix CSRF in messaging settings (MSA-08-0023)
  * Fix anonymous group creation and html injection (MDL-11759)
  * Fix SQL injection bug in mnet (MDL-9288)
  * Fix SQL injection bug in restore (MDL-11857)
  * Insufficient cleaning of essay questions (MDL-12079)
  * Fix insufficient cleaning of PARAM_HOST (MDL-12793)
  * Fix XSS bug in logged urls (MDL-11414)
  * Fix uncleaned params in wiki (MDL-14806)

  [ Francois Marier ]
  * Update ht...