Bug 11212

Summary: moodle new security issues fixed in 2.4.6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/567508/
Whiteboard: MGA3-64-OK MGA3-32-OK
Source RPM: moodle-2.4.5-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-09-10 21:30:03 CEST 
Moodle has released version 2.4.6 on September 9:
https://moodle.org/mod/forum/discuss.php?d=237413

The issues fixed in this release will be listed in the release notes:
http://docs.moodle.org/dev/Moodle_2.4.6_release_notes

The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.

In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron.  No changes have been made other than updating to 2.4.6.

For testing instructions, see:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Updated package in core/updates_testing:
moodle-2.4.6-1.mga3

from moodle-2.4.6-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2013-09-16 00:16:06 CEST 
Testing complete on both arches, just that moodle is working.

Waiting for the advisory before validating.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA3-64-OK MGA3-32-OK

Comment 2 David Walser 2013-09-16 16:45:47 CEST 
Thanks Dave!

Details and CVEs have been released:
http://openwall.com/lists/oss-security/2013/09/16/1

Note that the MSA-13-0032/CVE-2012-6087 issue had already been fixed locally in our package since it was first imported.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

Null characters were allowed in query strings in Moodle before 2.4.6, which
caused sql statements to terminate and fail, potentially allowing sql
injection in Moodle's SQL Server driver (CVE-2013-4313).

Links to external blogs were not being adequately cleaned in Moodle before
2.4.6, potentially allowing for XSS attacks (CVE-2013-4341).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4341
https://moodle.org/mod/forum/discuss.php?d=238396
https://moodle.org/mod/forum/discuss.php?d=238399
http://docs.moodle.org/dev/Moodle_2.4.6_release_notes
https://moodle.org/mod/forum/discuss.php?d=237413
========================

Updated packages in core/updates_testing:
========================
moodle-2.4.6-1.mga3

from moodle-2.4.6-1.mga3.src.rpm
Comment 3 claire robinson 2013-09-16 16:55:22 CEST 
Advisory uploaded, thanks David.

Validating

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2013-09-19 11:51:02 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0280.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-09-19 21:20:25 CEST

URL: (none) => http://lwn.net/Vulnerabilities/567508/