File moodle.changes of Package moodle
-------------------------------------------------------------------
Wed Nov 10 17:16:42 CET 2010 - lrupp@suse.de
- update to 1.9.10 (bnc #650155):
+ this update fixes the following security incidents:
++ CVE-2010-4207, CVE-2010-4208, CVE-2010-4209:
Cross-site scripting (XSS) vulnerability in the Flash
component infrastructure
+ Multiple phpCAS library vulnerabilities
+ Customised HTML Purifier upgraded to 4.2.0
- upgraded language packs as the new version comes with more and/or
changed (translated) text
-------------------------------------------------------------------
Thu Jul 8 09:35:20 CEST 2010 - lrupp@suse.de
- update to 1.9.9 (bnc #616186):
+ this update fixes the following security incidents:
++ CVE-2010-2228 Persistent Cross Site Scripting vulnerability
in the MNET access control interface
++ CVE-2010-2229 Cross Site Scripting vulnerability in
blog/index.php
++ CVE-2010-2230 KSES Security Filter Bypassing vulnerability
++ CVE-2010-2231 Potential Cross Site Scripting vulnerability
in Quiz reports
+ also 39 minor bugs were fixed.
- upgraded language packs as the new version comes with more and/or
changed (translated) text
-------------------------------------------------------------------
Mon Mar 29 12:51:48 UTC 2010 - lrupp@suse.de
- update to 1.9.8 (bnc #591850):
+ this update fixes the following security incidents:
++ MSA-10-0001 Vulnerability in KSES text cleaning
++ MSA-10-0002 XSS vulnerabilty in the phpcas module
++ MSA-10-0003 Disclosure of full user names
++ MSA-10-0004 Improved access control in course restore
++ MSA-10-0005 Incorrect validation of forms data
++ MSA-10-0006 SQL injection in Wiki module
++ MSA-10-0007 Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine
++ MSA-10-0008 Persistent XSS when using Login-as feature
++ MSA-10-0009 Session fixation prevention now turned on by default
+ also the following bugs were fixed:
++ MDL-16658 - New capability moodle/restore:createuser to control
whether a user can create users when restoring a course
++ MDL-21174 - Bulk upload of user profile pictures now excludes
deleted users
++ MDL-20125 - New Section Links block settings
++ MDL-21606 - Fix for Chameleon theme not working with Firefox 3.6
++ MDL-21343 - Fix for LDAP authentication settings not being shown
++ MDL-19392 and MDL-21332 - Fixes for AICC objects
++ MDL-21045 - Grade letters, outcomes, grade categories and grade
items are now restored regardless of whether users are included
in the course backup
++ MDL-20122 - SCORM module restore now retains maxgrade, updatefreq,
maxattempt, grademethod and options
++ MDL-20819 - Fix for statistics generation problem
++ MDL-21029 - Global glossary auto linking fix
++ MDL-20810 - Hotpot module import questions fix
- added hint in README.SuSE about upgrade
-------------------------------------------------------------------
Fri Feb 5 14:33:04 CET 2010 - lrupp@suse.de
- update to 1.9.7 (bnc #564364):
+ this update fixes the following security incidents:
++ CVE-2009-4297
++ CVE-2009-4298
++ CVE-2009-4299
++ CVE-2009-4300
++ CVE-2009-4301
++ CVE-2009-4302
++ CVE-2009-4303
++ CVE-2009-4304
++ CVE-2009-4305
++ MSA-09-0030 - New detection of insecure Flash player plugins
+ new IMS Common Cartridge import (requires enabling in
Site Administration > Miscellaneous > Experimental)
+ Workshop module now finally pushes grades into Gradebook
during Synchronize legacy grades procedure
+ Miscellaneous Workshop module fixes
+ Completely new, more secure password handling. Beside other
features, Admins will be asked to change their passwords next
time they log in after upgrading
+ Hashed user passwords are no longer saved in backup files
containing user data. If a backup is restored to a new site,
users will be asked to go through the "forgot my password"
routine the first time they log in.
- removed old, upstreamed patches
-------------------------------------------------------------------
Tue Mar 31 16:01:34 CEST 2009 - lrupp@suse.de
- fix bnc#490087: Moodle File Disclosure Vulnerability
+ moodle-1.9.3-CVE-2009-1171.patch
-------------------------------------------------------------------
Mon Mar 16 15:14:16 CET 2009 - lrupp@suse.de
- fix bnc#475111: moodle XSS, CSRF
+ moodle-1.9.3-CVE-2009-0499.patch
+ moodle-1.9.3-CVE-2009-0500.patch
+ moodle-1.9.3-CVE-2009-0501.patch
+ moodle-1.9.3-CVE-2009-0502.patch
-------------------------------------------------------------------
Mon Jan 19 17:45:31 CET 2009 - lrupp@suse.de
- fix potential possible Remote Code Execution
(moodle-1.9.3-Remote_Code_Execution.patch) bnc#459039
-------------------------------------------------------------------
Wed Nov 12 10:52:38 CET 2008 - lrupp@suse.de
- php-imap doesn't exist any more in Factory
- update to 1.9.3:
MSA-08-0020: quiz/questions capabilities lack some risk flags in
access.php files
MSA-08-0021: design deficiency combined with incorrect use of
format_string() allowing XSS
MSA-08-0022: XSS through Wiki page titles
MSA-08-0023: CSRF in messaging setting
MSA-08-0024: Overriding of frozen values in Moodle forms
MSA-08-0025: SQL injection in tags code
MSA-08-0026: customised HTML Purifier upgraded to 2.1.5
+ The regression in 1.9.2 that broke images in quiz questions
has been fixed.
+ Fixes for course category edit and add capabilities problems
+ Fix for Firefox password manager problem
+ Fix for major groups upgrade problem
+ Indication for administrators when a site is in Maintenance mode
+ Improved detection of misconfigured dataroot directory
+ and many more
(see http://docs.moodle.org/en/Release_Notes#Moodle_1.9.3)
- updated en, es, et, eu, fa, fi, fr, gl , he, hr, hu, is, it, ja,
km, ko, lt, lv, ms, nl, nn, no, pl, pt, ro, ru, sk, sl, so, sq,
sv, tr, uk, vi language files
- removed moodle-oss files
- remove obsolete suse_version checks
-------------------------------------------------------------------
Thu Sep 25 22:42:20 CEST 2008 - lars@linux-schulserver.de
- moved to Education base repository
-------------------------------------------------------------------
Mon Jul 21 18:49:18 CEST 2008 - lrupp@suse.de
- update to 1.9.2:
+ MSA-08-0016: Email could be changed in profile
without confirmation
+ MSA-08-0015: accessible profiles of deleted users
+ MSA-08-0014: potential sql injection in events handling code
+ MSA-08-0012: Potential non-persistent XSS when searching for
group members (MSSQL and Oracle only)
+ MSA-08-0010: sql injection in HotPot module
+ compatibility fixes for MSSQL, Oracle and PostgreSQL
+ improved triggering core events (unfortunately 3rd party code
needs to be updated MDL-9983)
+ various spam related improvements (confirmation when changing
emails, new lang strings with better help, email self-register
off by default)
+ forum subscribe and unsubscribe improvements
+ the simpler quiz report enhancements and bug fixes, from this
body of work aimed at 2.0, have been implemented on the 1.9
stable branch.
- updated language files, too
- fix rpmlint file syntax
-------------------------------------------------------------------
Mon Jun 2 13:22:38 CEST 2008 - lrupp@suse.de
- update to 1.9.1 (bugfix release):
* Gradebook - bug fixing and performance problems solved
* Backup/restore bug fixing, improvements and performance
* Numerous PostgreSQL compatibility fixes
* Many critical problems fixed in language packs
* Front page participants list improved
* Database module - bug fixing and improvements, including
additional database template tags
* Forum module - fixed unread tracking, performance improvements,
group modes fixed
* Resource module - fixed problems with PDF files in IE
* Quiz module - Improvements to robustness
* Captcha support added to Email-based self-registration
-------------------------------------------------------------------
Wed Apr 9 23:33:08 CEST 2008 - crrodriguez@suse.de
- moodle does not send scheduled emails nor execute
cleanup tasks without cron
-------------------------------------------------------------------
Tue Mar 18 14:17:47 CET 2008 - lrupp@suse.de
- fix a bug with the regex_replace modifier that can allow php
functions to be called in templates (bnc#202591)
moodle-CVE-2008-1066.patch
-------------------------------------------------------------------
Mon Mar 17 14:14:38 CET 2008 - lrupp@suse.de
- update to 1.9:
+ new/changed features: Gradebook, Outcomes, Events API,
Tags support, Notes, Bulk users actions
+ many scalability and performance improvements (overhaul of the
Roles implementation, additional code for PHP pre-compilers,
improvements in the database access code
+ Active Directory NTLM Single Sign On
+ New theme settings
+ Oracle Support - Catalyst Ltd, USQ
+ Numerous admin settings fixes and improvements
For a detailed list, please read
http://docs.moodle.org/en/Release_Notes#Moodle_1.9
- added some links to the README.SuSE
- enhanced the rpmlintrc file
- updated language files
-------------------------------------------------------------------
Wed Dec 5 17:31:57 CET 2007 - lrupp@suse.de
- update to 1.8.4:
+ Some crucial performance fixes
+ Many little annoying bugs squashed
+ more on http://docs.moodle.org/en/Release_Notes#Moodle_1.8.3
- updated language files
- enhanced the README.SuSE
- now we support the "normal" installation via browser
-------------------------------------------------------------------
Mon Aug 6 12:49:41 CEST 2007 - lrupp@suse.de
- update to 1.8.2:
+ groups implementation has been cleaned up
+ two XSS security vulnerabilities were fixed
+ more XHTML validation cleanups
+ fixed user upload failure when file contains utf-8 bom
+ more on http://docs.moodle.org/en/Release_Notes#Moodle_1.8.2
-------------------------------------------------------------------
Tue Jun 5 09:40:33 CEST 2007 - lrupp@suse.de
- Require mysql >= 5.0 (for UTF8 Support)
- use fdupes to find duplicate files
- Remove libbz2 from BuildRequires
- Remove triggerpostun
-------------------------------------------------------------------
Sun Apr 1 20:42:53 CEST 2007 - lrupp@suse.de
- Upgrade to 1.8:
+ Accessibility improvements
+ it is now possible to link Moodle sites allowing cross-site
roaming, transparent enrolments and remote log viewing.
+ Roles improvements
- changes in moodle_include.conf:
+ set "safe_mode Off" and
+ "session.save_handler = files"
+ increased "post_max_size" and "upload_max_filesize" to 16M
see http://docs.moodle.org/en/Installing_Moodle for more details
- updated language files
- updated moodle-oss
- added php4-ldap php4-imap freetype2 to Requires
-------------------------------------------------------------------
Sun Apr 1 17:43:31 CEST 2007 - lrupp@suse.de
- add libbz2 to BuildRequires for > 1020
-------------------------------------------------------------------
Thu Mar 29 19:22:16 CEST 2007 - dmueller@suse.de
- update BuildRequires
-------------------------------------------------------------------
Wed Feb 7 00:19:35 CET 2007 - lrupp@suse.de
- remove trailing '/' from config
- move moodle to /srv/www/moodle
- adapt OSS scripts to new locations
-------------------------------------------------------------------
Tue Jan 23 22:32:08 CET 2007 - lrupp@suse.de
- updated moodle to 1.7.1 (bugfix release)
- updated language packs
- fixed requires for SLES9
- added triggerpostun for old config move
- added 'de_du' package
-------------------------------------------------------------------
Tue Dec 19 20:11:34 CET 2006 - lrupp@suse.de
- some enhancements in the moodle-add-user script
- changed default currency to "EUR" instead of "USD" in the database
-------------------------------------------------------------------
Thu Dec 7 23:11:33 CET 2006 - lrupp@suse.de
- Updated ca, en, es, eu, fr, ja, ko, tr and vi language files
- updated setup and plugin script in moodle-oss.tar.bz2
-------------------------------------------------------------------
Fri Nov 17 07:05:22 CET 2006 - lrupp@suse.de
- updated translations
- beautify specfile
- added locale Provides to language packages
- updated database dump and OSS scripts
-------------------------------------------------------------------
Tue Nov 14 15:22:20 CET 2006 - lrupp@suse.de
- upgrade to 1.7:
+ allows user roles now
+ new XML database schema for support of a wider range of
databases
+ New admin interface which makes it easier to find settings
+ first Unit testing framework for developers
+ first AJAX features (unstable atm) in course editing
+ many small bugfixes - see:
http://docs.moodle.org/en/Release_Notes#Moodle_1.7
- updated language files
- rewrite some special OSS scripts
-------------------------------------------------------------------
Sat Nov 4 22:18:27 CET 2006 - lrupp@suse.de
- use admin_flag in apache config ( #216923 )
- some security enhancements:
+ make config not world wide readable
+ set register_globals off
+ use open_basedir restrictions
+ disable Session auto start
- added mod_php4 config for older distributions
- updated language packs
- added Hindi, Croatian, Icelandic, Somali translations
- added en_utf8: en is just a placeholder now
-------------------------------------------------------------------
Sun Oct 15 18:11:02 CEST 2006 - lrupp@suse.de
- new version: 1.6.3
- all patches included upstream
-------------------------------------------------------------------
Fri Oct 6 00:01:54 CEST 2006 - lrupp@suse.de
- updated language files
- added patches:
+ Fixing $tempfiledir path in spellchecker
+ update mdl fields during login only once if 'oncreation' is set
+ don't show backup directory to all users
+ corrected display of best grade if maximum grade != 100
+ If a theme doesn't exist then revert to standardwhite
+ make course upload size limits apply to students only
+ remove linefeeds from textfiles after editing in browser window
+ fix error message when the first lesson is created
+ allow UTF-8 strings to be truncated at character
boundaries instead of word boundaries (fix MDL-5378)
+ studentview was not working in hidden courses (MDL-6341)
+ trigger correct upgrade of tables for HotPot v1
+ Fix JavaScript timer problem (endless loop)
+ added missing global to restore teachers correctly (MDL-6084)
+ added eu as toplevel domain in validateurlsyntax.php
-------------------------------------------------------------------
Thu Sep 28 18:50:39 CEST 2006 - lrupp@suse.de
- update to 1.6.2
* many security fixes in filehandling (upload, backup)
* bugfixe in localisation packages
* fixes in Lesson module
* sessiontimeout setting works now
- added plugins for adding and deleting users via LDAP
-------------------------------------------------------------------
Thu Aug 31 20:40:10 CEST 2006 - lrupp@suse.de
- initial package (1.6.1)
