moodle - several

Several security issues have been fixed in Moodle, a course management
system for online learning:

• CVE-2011-4308 / CVE-2012-0792
  Rossiani Wijaya discovered an information leak in
  mod/forum/user.php.
• CVE-2011-4584
  MNet authentication didn’t prevent a user using Login as from
  jumping to a remove MNet SSO.
• CVE-2011-4585
  Darragh Enright discovered that the change password form was send in
  over plain HTTP even if httpslogin was set to true.
• CVE-2011-4586
  David Michael Evans and German Sanchez Gances discovered CRLF
  injection/HTTP response splitting vulnerabilities in the Calendar
  module.
• CVE-2011-4587
  Stephen Mc Guiness discovered empty passwords could be entered in
  some circumstances.
• CVE-2011-4588
  Patrick McNeill discovered that IP address restrictions could be bypassed in
  MNet.
• CVE-2012-0796
  Simon Coggins discovered that additional information could be
  injected into mail headers.
• CVE-2012-0795
  John Ehringer discovered that email addresses were insufficiently
  validated.
• CVE-2012-0794
  Rajesh Taneja discovered that cookie encryption used a fixed key.
• CVE-2012-0793
  Eloy Lafuente discovered that profile images were insufficiently
  protected. A new configuration option forceloginforprofileimages
  was introduced for that.

For the stable distribution (squeeze), this problem has been fixed in
version 1.9.9.dfsg2-2.1+squeeze3.

For the unstable distribution (sid), this problem has been fixed in
version 1.9.9.dfsg2-5.

We recommend that you upgrade your moodle packages.