Bug 10755

Summary: moodle new security issues fixed in 2.4.5
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/560021/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Source RPM: moodle-2.4.4-1.1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-07-10 23:29:49 CEST 
Moodle has released version 2.4.5 on July 8:
https://moodle.org/mod/forum/discuss.php?d=232108

The issues fixed in this release will be listed in the release notes:
http://docs.moodle.org/dev/Moodle_2.4.5_release_notes

The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.

In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron.  No changes have been made other than updating to 2.4.5.

Updated package in core/updates_testing:
moodle-2.4.5-1.mga3

from moodle-2.4.5-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-16 00:34:09 CEST 
For testing instructions, see:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Advisory:
========================

Updated moodle package fix security vulnerabilities:

Flash files distributed with the YUI library in Moodle before 2.4.5 may have
allowed for cross-site scripting attacks (MSA-13-0025).

Privacy settings for the IMS-LTI (External tool) module in Moodle before
2.4.5 were not able to be changed so personal information was always
transferred (MSA-13-0026).

Users were able to access a daemon-mode Chat activity in Moodle before 2.4.5
without the required capability (CVE-2013-2242).

It was possible to determine answers from ID values in Lesson activity
matching questions in Moodle before 2.4.5 (CVE-2013-2243).

Conditional access rule values for user fields were able to contain unescaped
HTML/JS that would be output to users in Moodle before 2.4.5 (CVE-2013-2244).

When impersonating another user using RSS tokens in Moodle before 2.4.5, an
error was displayed, but block information relevant to the person being
impersonated was shown (CVE-2013-2245).

The Feedback module in Moodle before 2.4.5 was showing personal information 
to users without the needed capability (CVE-2013-2246).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2246
https://moodle.org/mod/forum/discuss.php?d=232496
https://moodle.org/mod/forum/discuss.php?d=232497
https://moodle.org/mod/forum/discuss.php?d=232498
https://moodle.org/mod/forum/discuss.php?d=232500
https://moodle.org/mod/forum/discuss.php?d=232501
https://moodle.org/mod/forum/discuss.php?d=232502
https://moodle.org/mod/forum/discuss.php?d=232503
http://docs.moodle.org/dev/Moodle_2.4.5_release_notes
https://moodle.org/mod/forum/discuss.php?d=232108

Severity: normal => major

Comment 2 claire robinson 2013-07-16 12:37:48 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3

To get this up and running, it's similar to other web app packages.

Simplest way:
urpmi mariadb
systemctl enable mysqld.service
systemctl start mysqld.service
mysql -u root 
mysql> create database moodle;
mysql> create user 'moodle'@'localhost' identified by '<PASSWORD>';
mysql> grant all on moodle.* to 'moodle'@'localhost';
mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> exit;

Then, edit /var/www/moodle/config.php, and in the empty single quotes for dbuser and dbpass, put 'moodle' for dbuser (or whatever user you created in the create user command in mysql), and the password you used in the create user mysql command in for dbpass.

Then browse to http://localhost/moodle to complete the setup.

There's a lot more documentation on using moodle at:
http://docs.moodle.org/24/en/Main_page
claire robinson 2013-07-16 12:38:10 CEST

Whiteboard: (none) => has_procedure

Comment 3 claire robinson 2013-07-16 12:43:21 CEST 
Sorry David, I didn't notice you'd already given a link.

Testing mga3 64
Comment 4 claire robinson 2013-07-16 13:43:31 CEST 
Installed and configured with the admin user and created a sample course.

Installed the update candidate and it then offered to upgrade the database and one plugin, I thought I'd remember it's name but I don't :\

All OK after doing so, the login and course are still present.

Testing complete mga3 64

Whiteboard: has_procedure => has_procedure mga3-64-ok

Comment 5 claire robinson 2013-07-18 13:31:52 CEST 
Testing mga3 32
Comment 6 claire robinson 2013-07-18 13:55:31 CEST 
Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 7 claire robinson 2013-07-18 14:01:16 CEST 
Validating. Advisory from comment 0 uploaded.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Nicolas Vigier 2013-07-21 11:36:08 CEST 
http://advisories.mageia.org/MGASA-2013-0217.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

David Walser 2013-07-22 19:33:06 CEST

URL: (none) => http://lwn.net/Vulnerabilities/560021/

Nicolas Vigier 2014-05-08 18:05:42 CEST

CC: boklm => (none)