Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 578811 (CVE-2010-1613, CVE-2010-1614, CVE-2010-1615, CVE-2010-1616, CVE-2010-1617, CVE-2010-1618, CVE-2010-1619) - CVE-2010-1613 CVE-2010-1614 CVE-2010-1615 CVE-2010-1616 CVE-2010-1617 CVE-2010-1618 CVE-2010-1619 Moodle: Multiple security fixes in 1.8.12 upstream release
Summary: CVE-2010-1613 CVE-2010-1614 CVE-2010-1615 CVE-2010-1616 CVE-2010-1617 CVE-201...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-1613, CVE-2010-1614, CVE-2010-1615, CVE-2010-1616, CVE-2010-1617, CVE-2010-1618, CVE-2010-1619
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://docs.moodle.org/en/Moodle_1.8....
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-01 12:49 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:36 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-10 15:55:51 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-04-01 12:49:38 UTC
Moodle upstream has released latest v1.9.8 and v.1.8.12
versions:
  [1] http://docs.moodle.org/en/Moodle_1.9.8_release_notes
  [2] http://docs.moodle.org/en/Moodle_1.8.12_release_notes

addressing multiple security issues (from [2]):

    * MSA-10-0001 Vulnerability in KSES text cleaning
    * MSA-10-0002 XSS vulnerabilty in the phpcas module
    * MSA-10-0003 Disclosure of full user names
    * MSA-10-0005 Incorrect validation of forms data
    * MSA-10-0006 SQL injection in Wiki module
    * MSA-10-0007 Reflective Cross Site Scripting (XSS) in the Moodle
                  Global Search Engine
    * MSA-10-0008 Persistent XSS when using Login-as feature
    * MSA-10-0009 Session fixation prevention now turned on by default 

CVE Request:
  [3] http://www.openwall.com/lists/oss-security/2010/04/01/1

Comment 1 Jan Lieskovsky 2010-04-01 12:52:24 UTC
Though current Fedora versions of moodle has been already
upgraded to v1.9.8 (thanks Jon), these issues still affect
the versions of the moodle package, as present within
EPEL-4 and EPEL-5 repositories.

Please fix.

Comment 2 Fedora Update System 2010-04-01 17:59:39 UTC
moodle-1.8.12-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/moodle-1.8.12-1.el5

Comment 3 Fedora Update System 2010-04-01 17:59:44 UTC
moodle-1.8.12-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/moodle-1.8.12-1.el4

Comment 4 Fedora Update System 2010-04-02 02:39:43 UTC
moodle-1.8.12-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2010-04-02 02:39:53 UTC
moodle-1.8.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vincent Danen 2010-06-10 15:55:51 UTC
MITRE has assigned the following CVEs for these issues (as noted in http://www.openwall.com/lists/oss-security/2010/04/29/10):

>MSA-10-0009: Session fixation prevention now turned on by default

Use CVE-2010-1613

>MSA-10-0008: Persistent XSS when using Login-as feature
>MSA-10-0007: Reflective Cross Site Scripting (XSS) in the Moodle
>Global Search Engine

These two are combined into a single CVE.

Use CVE-2010-1614

>MSA-10-0006: SQL injection in Wiki module
>MSA-10-0005: Incorrect validation of forms data

These two are combined into a single CVE.

Use CVE-2010-1615

>MSA-10-0004: Improved access control in course restore

Use CVE-2010-1616

>MSA-10-0003: Disclosure of full user names

Use CVE-2010-1617

>MSA-10-0002: XSS vulnerabilty in the phpcas module

Use CVE-2010-1618

>MSA-10-0001: Vulnerability in KSES text cleaning

Use CVE-2010-1619


Note You need to log in before you can comment on or make changes to this bug.