Author: Joost van Baal
Revision Date: 2015-03-09 12:56:41 UTC

* debian/README.Debian: add authors and dates, in order to make status more
  clear.
* debian/watch: (trying to) get it working again, with revamped moodle.org website.
* debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1.
* For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630
  will not get fixed: it's not a bug: the attack can only get launched by an
  administrator, and administrators need to be trusted. See also Debian
  bug #775842.
* Fix CVE-2014-4172 and CVE-2014-2054:
  - debian/rules, debian/control: don't use CAS client library as shipped with
    moodle (unchanged phpCAS 1.3.3, see upstream auth/cas/CAS/moodle_readme.txt)
    but php-cas as shipped with Debian (1.3.3-1 and 1.3.1-4+deb7u1); create
    symlinks /u/s/m/auth/cas/CAS/CAS.php -> /usr/share/php/CAS.php
    and /u/s/m/auth/cas/CAS/CAS -> /usr/share/php/CAS/. This fixes CVE-2014-4172.
  - debian/rules: remove /u/s/m/lib/phpexcel from binary package. Remove
    lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources. This fixes both a
    license problem and a security problem: Although the PHP license is generally
    agreed to be DFSG-free, using it as a license on anything that isn't PHP
    itself makes the result non-free. PHP OLE is licensed under the PHP license.
    Older versions of PHP Excel, such as the one shipped with moodle, suffer from
    security problem CVE-2014-2054. See also Debian Bug #718585 "RFP: php-excel".
  This closed Debian bug "Multiple security issues"; thanks Moritz Muehlenhoff,
  Thijs Kinkhorst and Hubert Chathi (Closes: #775842)

Author: Joost van Baal
Revision Date: 2015-03-09 12:56:41 UTC

* debian/README.Debian: add authors and dates, in order to make status more
  clear.
* debian/watch: (trying to) get it working again, with revamped moodle.org website.
* debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1.
* For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630
  will not get fixed: it's not a bug: the attack can only get launched by an
  administrator, and administrators need to be trusted. See also Debian
  bug #775842.
* Fix CVE-2014-4172 and CVE-2014-2054:
  - debian/rules, debian/control: don't use CAS client library as shipped with
    moodle (unchanged phpCAS 1.3.3, see upstream auth/cas/CAS/moodle_readme.txt)
    but php-cas as shipped with Debian (1.3.3-1 and 1.3.1-4+deb7u1); create
    symlinks /u/s/m/auth/cas/CAS/CAS.php -> /usr/share/php/CAS.php
    and /u/s/m/auth/cas/CAS/CAS -> /usr/share/php/CAS/. This fixes CVE-2014-4172.
  - debian/rules: remove /u/s/m/lib/phpexcel from binary package. Remove
    lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources. This fixes both a
    license problem and a security problem: Although the PHP license is generally
    agreed to be DFSG-free, using it as a license on anything that isn't PHP
    itself makes the result non-free. PHP OLE is licensed under the PHP license.
    Older versions of PHP Excel, such as the one shipped with moodle, suffer from
    security problem CVE-2014-2054. See also Debian Bug #718585 "RFP: php-excel".
  This closed Debian bug "Multiple security issues"; thanks Moritz Muehlenhoff,
  Thijs Kinkhorst and Hubert Chathi (Closes: #775842)

Author: Joost van Baal
Revision Date: 2015-03-09 12:56:41 UTC

* debian/README.Debian: add authors and dates, in order to make status more
  clear.
* debian/watch: (trying to) get it working again, with revamped moodle.org website.
* debian/changelog: add even more CVE-numbers to entry 2.7.5+dfsg-1.
* For the record, https://security-tracker.debian.org/tracker/CVE-2013-3630
  will not get fixed: it's not a bug: the attack can only get launched by an
  administrator, and administrators need to be trusted. See also Debian
  bug #775842.
* Fix CVE-2014-4172 and CVE-2014-2054:
  - debian/rules, debian/control: don't use CAS client library as shipped with
    moodle (unchanged phpCAS 1.3.3, see upstream auth/cas/CAS/moodle_readme.txt)
    but php-cas as shipped with Debian (1.3.3-1 and 1.3.1-4+deb7u1); create
    symlinks /u/s/m/auth/cas/CAS/CAS.php -> /usr/share/php/CAS.php
    and /u/s/m/auth/cas/CAS/CAS -> /usr/share/php/CAS/. This fixes CVE-2014-4172.
  - debian/rules: remove /u/s/m/lib/phpexcel from binary package. Remove
    lib/phpexcel/PHPExcel/Shared/OLE* from upstream sources. This fixes both a
    license problem and a security problem: Although the PHP license is generally
    agreed to be DFSG-free, using it as a license on anything that isn't PHP
    itself makes the result non-free. PHP OLE is licensed under the PHP license.
    Older versions of PHP Excel, such as the one shipped with moodle, suffer from
    security problem CVE-2014-2054. See also Debian Bug #718585 "RFP: php-excel".
  This closed Debian bug "Multiple security issues"; thanks Moritz Muehlenhoff,
  Thijs Kinkhorst and Hubert Chathi (Closes: #775842)

Author: Thijs Kinkhorst
Revision Date: 2014-05-12 16:10:38 UTC

New upstream release.

Author: Thijs Kinkhorst
Revision Date: 2014-05-12 16:10:38 UTC

New upstream release.

Author: Brian Murray
Revision Date: 2014-02-06 11:34:01 UTC

debian/rules: correct location of /var/lib/moodle

Author: Brian Murray
Revision Date: 2014-02-06 11:34:01 UTC

debian/rules: correct location of /var/lib/moodle

Author: Thijs Kinkhorst
Revision Date: 2013-09-09 15:22:35 UTC

* New upstream version: 2.5.2.
  - Incorporates S3 security patch.

Author: Thijs Kinkhorst
Revision Date: 2013-09-09 15:22:35 UTC

* New upstream version: 2.5.2.
  - Incorporates S3 security patch.

Author: Tomasz (Tomek) Muras
Revision Date: 2012-11-15 21:50:13 UTC

New upstream version: 2.2.6 (Build: 20121112)

Author: Tomasz (Tomek) Muras
Revision Date: 2012-11-15 21:50:13 UTC

New upstream version: 2.2.6 (Build: 20121112)

Author: Didier Raboud
Revision Date: 2012-09-28 12:52:21 UTC

* Non-maintainer upload.

* Backport multiple security issues from upstream's MOODLE_22_STABLE
  branch. (Closes: #687924)
  - MSA-12-0051: MDL-30792 - File upload size constraint issue
    Fixes CVE-2012-4400
  - MSA-12-0052: MDL-28207 - Course topics permission issue
    Fixes CVE-2012-4401
  - MSA-12-0053: MDL-34585 - Blog file access issue
    Fixes CVE-2012-4407
  - MSA-12-0054: MDL-34519 - Course reset permission issue
    Fixes CVE-2012-4408
  - MSA-12-0055: MDL-34368 - Web service access token issue
    Fixes CVE-2012-4402

Author: Tomasz (Tomek) Muras
Revision Date: 2012-04-12 21:55:48 UTC

* Backporting security fixes from Moodle 1.9.17
   - MSA-12-00013 DB activtity export does not respect groups
       (CVE-2012-1155, closes: #668411)

Author: Tomasz (Tomek) Muras
Revision Date: 2011-05-18 20:57:59 UTC

* Backporting security fixes from Moodle 1.9.11 and 1.9.12
    - MSA-11-0002 Cross-site request forgery vulnerability in RSS block (MDL-18839)
    - MSA-11-0003 Cross-site scripting vulnerability in tag autocomplete (MDL-25754)
    - MSA-11-0008 IMS enterprise enrolment file may disclose sensitive information (MDL-26189)
    - MSA-11-0011 Multiple cross-site scripting problems in media filter (MDL-26030)
    - MSA-11-0015 Cross Site Scripting through URL encoding (MDL-26966)
    - MSA-11-0013 Group/Quiz permissions issue (MDL-25122)

Author: Tomasz (Tomek) Muras
Revision Date: 2010-10-30 12:19:28 UTC

* Added Romanian translation
* Updated Japanese translation (closes: #596820)
* Backporting security fixes from Moodle 1.9.10 (closes: #601384)
   - Updated embedded CAS to 1.1.3
   - Added patch for MDL-24523:
     clean_text() not filtering text in markdown format
   - Added patch for MDL-24810 and upgraded customized HTML Purifier to 4.2.0
   - Added patch for MDL-24258:
     students can delete their forum posts later than $CFG->maxeditingtime
     under certain conditions
   - Added patch for MDL-23377:
     Can't delete quiz attempts in course without enrolled students

Author: Jeremy Bícha
Revision Date: 2009-10-22 06:36:42 UTC

* Depends on PostgreSQL or MySQL to ensure host database is set up
  before moodle configuration (Closes LP: #440098, 378726)
* Moved debconf to depends instead of pre-depends.

Author: Jeremy Bícha
Revision Date: 2009-10-24 09:12:58 UTC

* Depend on PostgreSQL or MySQL to ensure host database is set up
  before moodle configuration (Closes LP: #378726, #440098)
* Move debconf to depends instead of pre-depends.

Author: Jeremy Bícha
Revision Date: 2009-10-24 03:08:51 UTC

Depend on PostgreSQL or MySQL to ensure host database is set up
before moodle configuration (Closes LP: #378726, #440098)

Author: Jeremy Bícha
Revision Date: 2009-10-22 06:36:42 UTC

* Depends on PostgreSQL or MySQL to ensure host database is set up
  before moodle configuration (Closes LP: #440098, 378726)
* Moved debconf to depends instead of pre-depends.

Author: Jeremy Bícha
Revision Date: 2009-10-24 03:08:51 UTC

Depend on PostgreSQL or MySQL to ensure host database is set up
before moodle configuration (Closes LP: #378726, #440098)

Author: Jeremy Bícha
Revision Date: 2009-10-22 06:36:42 UTC

* Depends on PostgreSQL or MySQL to ensure host database is set up
  before moodle configuration (Closes LP: #440098, 378726)
* Moved debconf to depends instead of pre-depends.

Author: Kees Cook
Revision Date: 2009-06-23 19:00:40 UTC

* SECURITY UPDATE: filter harmful TeX commands.
  - Add debian/patches/CVE-2009-1171_tex.dpatch: backported
    upstream fixes.

Author: Kees Cook
Revision Date: 2009-06-23 19:00:40 UTC

* SECURITY UPDATE: filter harmful TeX commands.
  - Add debian/patches/CVE-2009-1171_tex.dpatch: backported
    upstream fixes.

Author: LaserJock
Revision Date: 2009-02-25 15:16:22 UTC

* Merge with Debian git (Closes LP: #322961, #239481, #334611):
  - use Ubuntu's smarty lib directory for linking
  - use internal yui library
  - add update-notifier support back in

[Matt Oquist]
  * renamed prerm script
  * significantly rewrote postinst and other maintainer scripts to improve
    user experience and package maintainability
    (Closes LP: #225662, #325450, #327843, #303078, #234609)

Author: Kees Cook
Revision Date: 2009-06-19 16:50:43 UTC

* SECURITY UPDATE: backported upstream fixes from Moodle 1.8.9 and earlier.
  - CVE-2008-4796_snoopy.dpatch: did not escape shell characters when
    using https (MSA-09-0003).
  - msa090006_CVE-2009-0501_calendar.dpatch: do not expose usernames via
    calendar export errors.
  - CVE-2007-3215_phpmailer.dpatch: escape sender email address when
    calling sendmail.
  - html2text-update.dpatch: html cleaning improved (MSA-08-0026,
    CVE-2008-5619).
  - CVE-2008-5432_wiki.dpatch: escape wiki titles in recent changes
    list (MSA-08-0022).
  - msa080010_hotpot.dpatch: block SQL injections in HotPot reports
    (MSA-08-0010, CVE-2008-6124).
  - msa080004_install.dpatch: stop XSS in unconfigured installs.
  - msa08003_login-as.dpatch: correctly validate permissions when attempting
    to switch users.
  - msa080015_deleted-user-profiles.dpatch: do not display deleted user
    profiles.
  - msa080021_text-cleaning.dpatch: stop XSS in certain string format
    situations.
  - msa080023_message-csrf.dpatch: require sessionkey for instant messages
    to stop CSRF.
  - mdl11759_group-creation.dpatch: stop XSS in group creation.
  - MDL-9288_mnet.dpatch: correct escape users names in mnet.
  - MDL-11857_restore.dpatch: stop SQL injection from restore.
  - mdl12079_essayquestions.dpatch: block XSS in essay questions.
  - mdl12793_PARAM_HOST.dpatch: block XSS in host parameter.
  - mdl14806_wiki-params.dpatch: block XSS in wiki parameters.
  - msa090001.dpatch: allow removal of deleted-user pictures.
  - msa090002.dpatch: block access to deleted-user pictures.
  - msa090004.dpatch: stop XSS in "login as" (CVE-2009-0502).
  - msa090007{,_cleanup-prep}.dpatch: add more input validation to
    prevent XSS via inputs (CVE-2009-0500).
  - msa090008.dpatch: add session key to forum actions to stop CSRF
    (CVE-2009-0499).
  - CVE-2009-1171.dpatch: blacklist TeX functions that allow arbitrary file
    inclusion (MSA-09-0009, CVE-2009-1171).
* SECURITY UPDATE: Smarty template processor security fixes.
  - smarty_dollar_sign.dpatch: stop php execution via templates
    (CVE-2008-4810, CVE-2008-4811).
  - smarty_math_backticks.dpatch: stop backtick processing in math
    expressions (CVE-2009-1669).
* SECURITY UPDATE: remove unsafe and unused SpellChecker extension.
  - debian/rules: remove SpellChecker (CVE-2008-5153).

Author: Kees Cook
Revision Date: 2009-06-19 16:50:43 UTC

* SECURITY UPDATE: backported upstream fixes from Moodle 1.8.9 and earlier.
  - CVE-2008-4796_snoopy.dpatch: did not escape shell characters when
    using https (MSA-09-0003).
  - msa090006_CVE-2009-0501_calendar.dpatch: do not expose usernames via
    calendar export errors.
  - CVE-2007-3215_phpmailer.dpatch: escape sender email address when
    calling sendmail.
  - html2text-update.dpatch: html cleaning improved (MSA-08-0026,
    CVE-2008-5619).
  - CVE-2008-5432_wiki.dpatch: escape wiki titles in recent changes
    list (MSA-08-0022).
  - msa080010_hotpot.dpatch: block SQL injections in HotPot reports
    (MSA-08-0010, CVE-2008-6124).
  - msa080004_install.dpatch: stop XSS in unconfigured installs.
  - msa08003_login-as.dpatch: correctly validate permissions when attempting
    to switch users.
  - msa080015_deleted-user-profiles.dpatch: do not display deleted user
    profiles.
  - msa080021_text-cleaning.dpatch: stop XSS in certain string format
    situations.
  - msa080023_message-csrf.dpatch: require sessionkey for instant messages
    to stop CSRF.
  - mdl11759_group-creation.dpatch: stop XSS in group creation.
  - MDL-9288_mnet.dpatch: correct escape users names in mnet.
  - MDL-11857_restore.dpatch: stop SQL injection from restore.
  - mdl12079_essayquestions.dpatch: block XSS in essay questions.
  - mdl12793_PARAM_HOST.dpatch: block XSS in host parameter.
  - mdl14806_wiki-params.dpatch: block XSS in wiki parameters.
  - msa090001.dpatch: allow removal of deleted-user pictures.
  - msa090002.dpatch: block access to deleted-user pictures.
  - msa090004.dpatch: stop XSS in "login as" (CVE-2009-0502).
  - msa090007{,_cleanup-prep}.dpatch: add more input validation to
    prevent XSS via inputs (CVE-2009-0500).
  - msa090008.dpatch: add session key to forum actions to stop CSRF
    (CVE-2009-0499).
  - CVE-2009-1171.dpatch: blacklist TeX functions that allow arbitrary file
    inclusion (MSA-09-0009, CVE-2009-1171).
* SECURITY UPDATE: Smarty template processor security fixes.
  - smarty_dollar_sign.dpatch: stop php execution via templates
    (CVE-2008-4810, CVE-2008-4811).
  - smarty_math_backticks.dpatch: stop backtick processing in math
    expressions (CVE-2009-1669).
* SECURITY UPDATE: remove unsafe and unused SpellChecker extension.
  - debian/rules: remove SpellChecker (CVE-2008-5153).

Author: Kees Cook
Revision Date: 2008-10-22 14:01:33 UTC

* SECURITY UPDATE: arbitrary code execution via multiple vectors.
  - Add CVE-2008-1502.dpatch: upstream KSES lib fixes, thanks to Nico Golde.

Author: Kees Cook
Revision Date: 2009-06-19 16:50:43 UTC

* SECURITY UPDATE: backported upstream fixes from Moodle 1.8.9 and earlier.
  - CVE-2008-4796_snoopy.dpatch: did not escape shell characters when
    using https (MSA-09-0003).
  - msa090006_CVE-2009-0501_calendar.dpatch: do not expose usernames via
    calendar export errors.
  - CVE-2007-3215_phpmailer.dpatch: escape sender email address when
    calling sendmail.
  - html2text-update.dpatch: html cleaning improved (MSA-08-0026,
    CVE-2008-5619).
  - CVE-2008-5432_wiki.dpatch: escape wiki titles in recent changes
    list (MSA-08-0022).
  - msa080010_hotpot.dpatch: block SQL injections in HotPot reports
    (MSA-08-0010, CVE-2008-6124).
  - msa080004_install.dpatch: stop XSS in unconfigured installs.
  - msa08003_login-as.dpatch: correctly validate permissions when attempting
    to switch users.
  - msa080015_deleted-user-profiles.dpatch: do not display deleted user
    profiles.
  - msa080021_text-cleaning.dpatch: stop XSS in certain string format
    situations.
  - msa080023_message-csrf.dpatch: require sessionkey for instant messages
    to stop CSRF.
  - mdl11759_group-creation.dpatch: stop XSS in group creation.
  - MDL-9288_mnet.dpatch: correct escape users names in mnet.
  - MDL-11857_restore.dpatch: stop SQL injection from restore.
  - mdl12079_essayquestions.dpatch: block XSS in essay questions.
  - mdl12793_PARAM_HOST.dpatch: block XSS in host parameter.
  - mdl14806_wiki-params.dpatch: block XSS in wiki parameters.
  - msa090001.dpatch: allow removal of deleted-user pictures.
  - msa090002.dpatch: block access to deleted-user pictures.
  - msa090004.dpatch: stop XSS in "login as" (CVE-2009-0502).
  - msa090007{,_cleanup-prep}.dpatch: add more input validation to
    prevent XSS via inputs (CVE-2009-0500).
  - msa090008.dpatch: add session key to forum actions to stop CSRF
    (CVE-2009-0499).
  - CVE-2009-1171.dpatch: blacklist TeX functions that allow arbitrary file
    inclusion (MSA-09-0009, CVE-2009-1171).
* SECURITY UPDATE: Smarty template processor security fixes.
  - smarty_dollar_sign.dpatch: stop php execution via templates
    (CVE-2008-4810, CVE-2008-4811).
  - smarty_math_backticks.dpatch: stop backtick processing in math
    expressions (CVE-2009-1669).
* SECURITY UPDATE: remove unsafe and unused SpellChecker extension.
  - debian/rules: remove SpellChecker (CVE-2008-5153).

Author: Steve Langasek
Revision Date: 2008-03-28 01:16:24 UTC

debian/postinst: ... except we should explicitly pass --debconf-ok
to ucf, for compatibility with older versions.

Author: Kees Cook
Revision Date: 2008-10-22 14:10:17 UTC

* SECURITY UPDATE: arbitrary code execution via multiple vectors.
  - Add CVE-2008-1502.dpatch: upstream KSES lib fixes, thanks to Nico Golde.

Author: Kees Cook
Revision Date: 2008-10-22 14:10:17 UTC

* SECURITY UPDATE: arbitrary code execution via multiple vectors.
  - Add CVE-2008-1502.dpatch: upstream KSES lib fixes, thanks to Nico Golde.

Author: Matt Oquist
Revision Date: 2007-07-28 16:14:18 UTC

Package changed to avoid use of wwwconfig; borrowed database setup code
from Ubuntu mythtv package.

Author: Kees Cook
Revision Date: 2006-12-18 12:28:27 UTC

* Merge from debian unstable, remaining changes:
  - debian/control:
    + php5 by default.
    + Add postgresql-client-8.1 to Depends.
    + Update Recommends alternate to postgresql-8.1.
  - debian/templates: Ensure the default corresponds to the install-
    time dependencies (apache2).

Author: Kees Cook
Revision Date: 2006-10-11 15:25:15 UTC

* SECURITY UPDATE: SQL injection vulnerability
* Add '01_sql-injection-fix.dpatch': Correctly escape tag options.
* References:
  CVE-2006-5219
  http://cvs.moodle.com/blog/index.php?r1=1.18.2.2&r2=1.18.2.3

Author: John Dong
Revision Date: 2006-12-01 14:00:21 UTC

Automated backport upload; no source changes.

Author: Daniel T Chen
Revision Date: 2006-06-09 22:21:34 UTC

* [SECURITY] Fix multiple XSS and SQL injection vulnerabilities:
  - Due to a failure to properly sanitise user input, there's a
    PostgreSQL SQL injection vulnerability in
    lib/adodb/drivers/adodb-postgres64.inc.php as described in
    CVE-2006-0410. Patch applied from Debian #360395.
  - The embedded version of lib/adodb/adodb-pager.inc.php is
    susceptible to XSS as described in CVE-2006-0806. Patch applied
    from Debian #360396.
* References:
  http://bugs.debian.org/360395, CVE-2006-0410;
  http://bugs.debian.org/360396, CVE-2006-0806.
* debian/:
  - postinst: Handle the upgrade path from any previous packaging
    revision in Breezy and Dapper that depends on apache2 but
    mistakenly uses apache in the debconf template.
  - templates: Use apache2 by default since, well, that's what the
    dependency prefers. Now Moodle actually installs.
  (Closes: Malone #5501, Malone #47812).

Author: Daniel T Chen
Revision Date: 2006-06-09 22:21:34 UTC

* [SECURITY] Fix multiple XSS and SQL injection vulnerabilities:
  - Due to a failure to properly sanitise user input, there's a
    PostgreSQL SQL injection vulnerability in
    lib/adodb/drivers/adodb-postgres64.inc.php as described in
    CVE-2006-0410. Patch applied from Debian #360395.
  - The embedded version of lib/adodb/adodb-pager.inc.php is
    susceptible to XSS as described in CVE-2006-0806. Patch applied
    from Debian #360396.
* References:
  http://bugs.debian.org/360395, CVE-2006-0410;
  http://bugs.debian.org/360396, CVE-2006-0806.
* debian/:
  - postinst: Handle the upgrade path from any previous packaging
    revision in Breezy and Dapper that depends on apache2 but
    mistakenly uses apache in the debconf template.
  - templates: Use apache2 by default since, well, that's what the
    dependency prefers. Now Moodle actually installs.
  (Closes: Malone #5501, Malone #47812).

Author: Daniel T Chen
Revision Date: 2006-01-09 13:49:39 UTC

Resynchronise with Debian.

Author: Andrew Mitchell
Revision Date: 2005-10-13 02:00:59 UTC

* Resync with debian (security update)
* changed dependencys to php5
* changed apache dependency to apache2
* References
  CAN-2005-2247

Author: Isaac Clerencia
Revision Date: 2004-12-29 00:49:52 UTC

* Urgency high as upstream release fixes several security bugs
* New upstream release
* Write database creation errors and warn the user about it,
closes: #285842, #285842

Author: Isaac Clerencia
Revision Date: 2004-06-04 23:45:37 UTC

* New upstream release, closes: #252693
* Added "exec 0<&1" to postinst to fix hang when ucf asks the user