Secure testing team - Oct 2010 - Bug#601384: 1.9.10 fixes security issues

Package: moodle
Severity: grave
Tags: security

Dear Moodle maintainers,

Moodle embeds a copy of PHPCAS, which had a couple of security issues.
I contacted them and they now released a new 1.9.10 version, which
fixes this and other security issues, see http://moodle.org/security/:

MSA-10-0016: Multiple phpCAS library vulnerabilities
MSA-10-0015: Customised HTML Purifier upgraded to 4.2.0
MSA-10-0014: Customised phpMyAdmin upgraded to 2.11.11

MSA-10-0014 seems a bit of a mystery to me, the downloaded tarball
doesn''t contain a local copy of phpmyadmin? (Which would be a
pretty horrible code duplication).

As for MSA-10-0015: Please check, whether it''s possible to patch Moodle
to use the php-htmlpurifier package from the archive instead of providing
it''s own local copy. If that is not possible, we can proceed with
patching Moodle''s version.

For PHPCAS, there isn''t yet a package in the archive. An RFP exists
(#495542), it would be nice if Moodle could switch to a central
package for Wheezy.

Please don''t package the full new 1.9.10 package for Squeeze, but
only pull in the phpcas and htmlpurifier changes, this makes it easier
for the release team to review the changes.

Cheers,
        Moritz



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages moodle depends on:
pn  apache2-mpm-prefork | httpd  <none>      (no description available)
ii  debconf [debconf-2.0]        1.5.36      Debian configuration management sy
pn  libapache2-mod-php5 | php5-c <none>      (no description available)
pn  mimetex                      <none>      (no description available)
pn  php5-cli                     <none>      (no description available)
pn  php5-curl                    <none>      (no description available)
pn  php5-gd                      <none>      (no description available)
pn  php5-pgsql | php5-mysql      <none>      (no description available)
pn  postgresql-client            <none>      (no description available)
ii  ucf                          3.0025+nmu1 Update Configuration File: preserv
pn  wwwconfig-common             <none>      (no description available)

Versions of packages moodle recommends:
pn  postgresql | mysql-server     <none>     (no description available)

moodle suggests no packages.