Hello community, here is the log from the commit of package moodle checked in at Fri Mar 21 01:22:08 CET 2008. -------- --- moodle/moodle.changes 2008-03-11 12:58:31.000000000 +0100 +++ moodle/moodle.changes 2008-03-18 14:17:58.000000000 +0100 @@ -1,0 +2,26 @@ +Tue Mar 18 14:17:47 CET 2008 - lrupp@suse.de + +- fix a bug with the regex_replace modifier that can allow php + functions to be called in templates (bnc#202591) + moodle-CVE-2008-1066.patch + +------------------------------------------------------------------- +Mon Mar 17 14:14:38 CET 2008 - lrupp@suse.de + +- update to 1.9: + + new/changed features: Gradebook, Outcomes, Events API, + Tags support, Notes, Bulk users actions + + many scalability and performance improvements (overhaul of the + Roles implementation, additional code for PHP pre-compilers, + improvements in the database access code + + Active Directory NTLM Single Sign On + + New theme settings + + Oracle Support - Catalyst Ltd, USQ + + Numerous admin settings fixes and improvements + For a detailed list, please read + http://docs.moodle.org/en/Release_Notes#Moodle_1.9 +- added some links to the README.SuSE +- enhanced the rpmlintrc file +- updated language files + +------------------------------------------------------------------- Old: ---- moodle-1.8.4.tar.bz2 moodle-install.php.patch New: ---- moodle-1.9.tar.bz2 moodle-CVE-2008-1066.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ moodle.spec ++++++ --- /var/tmp/diff_new_pack.C13487/_old 2008-03-21 01:20:39.000000000 +0100 +++ /var/tmp/diff_new_pack.C13487/_new 2008-03-21 01:20:39.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package moodle (Version 1.8.4) +# spec file for package moodle (Version 1.9.0) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -17,9 +17,9 @@ License: LGPL v2.1 or later Group: Productivity/Networking/Web/Utilities AutoReqProv: no -Version: 1.8.4 +Version: 1.9.0 Release: 1 -Source: moodle-1.8.4.tar.bz2 +Source: moodle-1.9.tar.bz2 Source2: moodle.cron Source3: moodle_include.conf Source4: moodle.config.dummy @@ -83,7 +83,7 @@ Source162: vi_utf8.zip Source163: zh_cn_utf8.zip Source164: de_du_utf8.zip -Patch: moodle-install.php.patch +Patch1: moodle-CVE-2008-1066.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch PreReq: mysql >= 5.0 @@ -1586,7 +1586,7 @@ %prep %setup -q -n %{name} -a10 -%patch +%patch1 -p1 # --------------------------------------------------------------------------- %build @@ -1755,6 +1755,26 @@ %{moodlerootdir}/admin/process_email.php %changelog +* Tue Mar 18 2008 lrupp@suse.de +- fix a bug with the regex_replace modifier that can allow php + functions to be called in templates (bnc#202591) + moodle-CVE-2008-1066.patch +* Mon Mar 17 2008 lrupp@suse.de +- update to 1.9: + + new/changed features: Gradebook, Outcomes, Events API, + Tags support, Notes, Bulk users actions + + many scalability and performance improvements (overhaul of the + Roles implementation, additional code for PHP pre-compilers, + improvements in the database access code + + Active Directory NTLM Single Sign On + + New theme settings + + Oracle Support - Catalyst Ltd, USQ + + Numerous admin settings fixes and improvements + For a detailed list, please read + http://docs.moodle.org/en/Release_Notes#Moodle_1.9 +- added some links to the README.SuSE +- enhanced the rpmlintrc file +- updated language files * Wed Dec 05 2007 lrupp@suse.de - update to 1.8.4: + Some crucial performance fixes ++++++ ca_utf8.zip ++++++ Files moodle/ca_utf8.zip and moodle/ca_utf8.zip differ ++++++ cs_utf8.zip ++++++ Files moodle/cs_utf8.zip and moodle/cs_utf8.zip differ ++++++ da_utf8.zip ++++++ Files moodle/da_utf8.zip and moodle/da_utf8.zip differ ++++++ de_utf8.zip ++++++ Files moodle/de_utf8.zip and moodle/de_utf8.zip differ ++++++ en_utf8.zip ++++++ Files moodle/en_utf8.zip and moodle/en_utf8.zip differ ++++++ es_utf8.zip ++++++ Files moodle/es_utf8.zip and moodle/es_utf8.zip differ ++++++ eu_utf8.zip ++++++ Files moodle/eu_utf8.zip and moodle/eu_utf8.zip differ ++++++ fi_utf8.zip ++++++ Files moodle/fi_utf8.zip and moodle/fi_utf8.zip differ ++++++ fr_utf8.zip ++++++ Files moodle/fr_utf8.zip and moodle/fr_utf8.zip differ ++++++ ga_utf8.zip ++++++ Files moodle/ga_utf8.zip and moodle/ga_utf8.zip differ ++++++ gl_utf8.zip ++++++ Files moodle/gl_utf8.zip and moodle/gl_utf8.zip differ ++++++ he_utf8.zip ++++++ Files moodle/he_utf8.zip and moodle/he_utf8.zip differ ++++++ hu_utf8.zip ++++++ Files moodle/hu_utf8.zip and moodle/hu_utf8.zip differ ++++++ it_utf8.zip ++++++ Files moodle/it_utf8.zip and moodle/it_utf8.zip differ ++++++ ja_utf8.zip ++++++ Files moodle/ja_utf8.zip and moodle/ja_utf8.zip differ ++++++ ko_utf8.zip ++++++ Files moodle/ko_utf8.zip and moodle/ko_utf8.zip differ ++++++ lv_utf8.zip ++++++ Files moodle/lv_utf8.zip and moodle/lv_utf8.zip differ ++++++ moodle-1.8.4.tar.bz2 -> moodle-1.9.tar.bz2 ++++++ moodle/moodle-1.8.4.tar.bz2 moodle/moodle-1.9.tar.bz2 differ: byte 11, line 1 ++++++ moodle-CVE-2008-1066.patch ++++++ Index: moodle/lib/smarty/plugins/modifier.regex_replace.php =================================================================== --- moodle.orig/lib/smarty/plugins/modifier.regex_replace.php +++ moodle/lib/smarty/plugins/modifier.regex_replace.php @@ -11,9 +11,10 @@ * * Type: modifier<br> * Name: regex_replace<br> - * Purpose: regular epxression search/replace + * Purpose: regular expression search/replace * @link http://smarty.php.net/manual/en/language.modifier.regex.replace.php * regex_replace (Smarty online manual) + * @author Monte Ohrt <monte at ohrt dot com> * @param string * @param string|array * @param string|array @@ -21,10 +22,13 @@ */ function smarty_modifier_regex_replace($string, $search, $replace) { - if (preg_match('!\W(\w+)$!s', $search, $match) && (strpos($match[1], 'e') !== false)) { + if (($pos = strpos($search,"\0")) !== false) + $search = substr($search,0,$pos); + if (preg_match('!([a-zA-Z\s]+)$!s', $search, $match) && (strpos($match[1], 'e') !== false)) { /* remove eval-modifier from $search */ - $search = substr($search, 0, -strlen($match[1])) . str_replace('e', '', $match[1]); + $search = substr($search, 0, -strlen($match[1])) . preg_replace('![e\s]+!', '', $match[1]); } + return preg_replace($search, $replace, $string); } ++++++ moodle-README.SuSE ++++++ --- moodle/moodle-README.SuSE 2007-12-05 19:08:29.000000000 +0100 +++ moodle/moodle-README.SuSE 2008-03-17 15:36:20.000000000 +0100 @@ -11,7 +11,6 @@ mysql> flush privileges; mysql> quit -Choose a good password for your "moodleuser" and enter it instead of the 'passwd' above. # Configure moodle via Browser 2) Start apache (rcapache2 start) and open the following URL in a browser on your host: @@ -64,5 +63,9 @@ edit your sites name and description and start with your new moodle site. +--------------- Links: --------------- +* http://docs.moodle.org/en/Installing_Moodle +* http://docs.moodle.org/en/Upgrading +* http://en.opensuse.org/Moodle ++++++ moodle-rpmlintrc ++++++ --- moodle/moodle-rpmlintrc 2007-08-06 16:52:20.000000000 +0200 +++ moodle/moodle-rpmlintrc 2008-03-17 15:34:36.000000000 +0100 @@ -1,5 +1,17 @@ -addFilter("non-readable .*/etc/moodle-config.php") +# this should be a pseudo config file pointing to the right one +# but we can't be shure that our users to what we want here.... +addFilter("W: non-etc-or-var-file-marked-as-conffile /srv/www/moodle/config.php") addFilter("arch-independent-package-contains-binary-or-object .*/srv/www/moodle/filter/tex/mimetex.linux") addFilter("arch-independent-package-contains-binary-or-object .*/srv/www/moodle/filter/tex/mimetex.freebsd") +# all files in this directory are just containing translations addFilter("script-without-shebang .*/srv/www/moodle/lang/.*") +# some language files are not in unix format, but they where imported +# into the database during setup, so this don't hurts us here +addFilter("wrong-script-end-of-line-encoding .*/srv/www/moodle/lang/.*") +# this is hopefully temporary: some languages are not completely translated +addFilter("zero-length .*/srv/www/moodle/lang/.*") +# some empty index.html file just to avoid directory listing +addFilter("zero-length .*/srv/www/moodle/.*html") addFilter("zero-length .*/srv/www/moodle/theme/chameleon/temp_user_styles.css") +# this file is for debugging only - developers know what to do with this file.... +addFilter"(W: non-executable-script /srv/www/moodle/admin/mailout-debugger.php") ++++++ nl_utf8.zip ++++++ Files moodle/nl_utf8.zip and moodle/nl_utf8.zip differ ++++++ no_utf8.zip ++++++ Files moodle/no_utf8.zip and moodle/no_utf8.zip differ ++++++ pt_utf8.zip ++++++ Files moodle/pt_utf8.zip and moodle/pt_utf8.zip differ ++++++ ru_utf8.zip ++++++ Files moodle/ru_utf8.zip and moodle/ru_utf8.zip differ ++++++ sk_utf8.zip ++++++ Files moodle/sk_utf8.zip and moodle/sk_utf8.zip differ ++++++ tr_utf8.zip ++++++ Files moodle/tr_utf8.zip and moodle/tr_utf8.zip differ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org