moodle - several vulnerabilities

Several remote vulnerabilities have been discovered in Moodle, a
course management system. The Common Vulnerabilities and Exposures
project identifies the following problems:

• CVE-2010-1613
  Moodle does not enable the Regenerate session id during
  login setting by default, which makes it easier for remote
  attackers to conduct session fixation attacks.
• CVE-2010-1614
  Multiple cross-site scripting (XSS) vulnerabilities allow
  remote attackers to inject arbitrary web script or HTML via
  vectors related to (1) the Login-As feature or (2) when the
  global search feature is enabled, unspecified global search
  forms in the Global Search Engine.
• CVE-2010-1615
  Multiple SQL injection vulnerabilities allow remote attackers
  to execute arbitrary SQL commands via vectors related to (1)
  the add_to_log function in mod/wiki/view.php in the wiki
  module, or (2) data validation in some forms elements
  related to lib/form/selectgroups.php.
• CVE-2010-1616
  Moodle can create new roles when restoring a course, which
  allows teachers to create new accounts even if they do not
  have the moodle/user:create capability.
• CVE-2010-1617
  user/view.php does not properly check a role, which allows
  remote authenticated users to obtain the full names of other
  users via the course profile page.
• CVE-2010-1618
  A Cross-site scripting (XSS) vulnerability in the phpCAS
  client library allows remote attackers to inject arbitrary web
  script or HTML via a crafted URL, which is not properly
  handled in an error message.
• CVE-2010-1619
  A Cross-site scripting (XSS) vulnerability in the
  fix_non_standard_entities function in the KSES HTML text
  cleaning library (weblib.php) allows remote attackers to
  inject arbitrary web script or HTML via crafted HTML entities.
• CVE-2010-2228
  A Cross-site scripting (XSS) vulnerability in the MNET
  access-control interface allows remote attackers to inject
  arbitrary web script or HTML via vectors involving extended
  characters in a username.
• CVE-2010-2229
  Multiple cross-site scripting (XSS) vulnerabilities in
  blog/index.php allow remote attackers to inject arbitrary web
  script or HTML via unspecified parameters.
• CVE-2010-2230
  The KSES text cleaning filter in lib/weblib.php does
  not properly handle vbscript URIs, which allows remote
  authenticated users to conduct cross-site scripting (XSS)
  attacks via HTML input.
• CVE-2010-2231
  A Cross-site request forgery (CSRF) vulnerability in
  report/overview/report.php in the quiz module allows remote
  attackers to hijack the authentication of arbitrary users for
  requests that delete quiz attempts via the attemptid
  parameter.

This security update switches to a new upstream version and requires
database updates. After installing the fixed package, you must visit
<http://localhost/moodle/admin/&gt; and follow the update instructions.

For the stable distribution (lenny), these problems have been fixed in
version 1.8.13-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.9.dfsg2-1.

We recommend that you upgrade your moodle package.