Bug 13369

Summary:	moodle new security issues fixed in 2.4.10 and 2.6.3
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	lewyssmith, sysadmin-bugs, tmb
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/599629/
Whiteboard:	MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK
Source RPM:	moodle-2.4.9-1.mga4.src.rpm	CVE:
Status comment:

Description David Walser 2014-05-12 19:58:10 CEST

Upstream has issued new releases today (May 12):
http://docs.moodle.org/dev/Moodle_2.4.10_release_notes
http://docs.moodle.org/dev/Moodle_2.6.3_release_notes

Details on the security issues fixed are not yet available, but likely will be next week (probably Monday) on the release notes pages.  I'll have to check the 2.4.10 release notes to see which issues our current 2.4.9 is vulnerable to.

As you can also see, Moodle 2.4 is only in limited support now; it's only supported for security issues, not even bugfixes anymore.  Also, according to other documentation, even the security support is expected to end before Mageia 3 EOL.

I upgraded our Moodle server to Mageia 4 and updated our local Moodle package to 2.6.2 about 6 weeks ago, and we've run two classes in production with it and it worked well and we didn't have any issues.  I just installed 2.6.3 and everything still looks OK.  I also tested 2.6.2 on our previous Mageia 2 server and it worked fine there as well.  Therefore, I am updating us to the 2.6 branch.

Note that updating to 2.6 should also eliminate the issue Lewis pointed out last time:
https://bugs.mageia.org/show_bug.cgi?id=13005#c4

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

I'll write an advisory once the details are available.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Updated packages in core/updates_testing:
========================
moodle-2.6.3-1.mga3
moodle-2.6.3-1.mga4

from SRPMS:
moodle-2.6.3-1.mga3.src.rpm
moodle-2.6.3-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-05-12 19:58:17 CEST

Whiteboard: (none) => MGA3TOO

claire robinson 2014-05-13 19:16:29 CEST

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 1 claire robinson 2014-05-16 17:58:48 CEST

Testing complete mga3 64

After installing the update, on the next visit it asks to perform the update, then checks the plugins. Scrolling to the bottom and clicking to continue does so without error and all is well after it completes.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok

Comment 2 claire robinson 2014-05-16 17:59:46 CEST

Sorry it was mga3 32 above.

Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-32-ok

Comment 3 claire robinson 2014-05-16 18:37:52 CEST

Testing complete mga3 64

Installed and updated but this time performed the installation with the testing version.

Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 4 Lewis Smith 2014-05-17 20:35:30 CEST

Testing MGA4 64-bit real hardware.

The big update went fine; but I have forgotten the admin username & password, so might have to re-install it to actually try it. Grrr.

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2014-05-17 21:40:57 CEST

Re-installed [from Updates Testing] moodle-2.6.3-1.mga4. You need to:

- Create a MySQL/MariaDB database with:
CREATE DATABASE moodle DEFAULT CHARACTER SET UTF8 COLLATE utf8_unicode_ci;
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,CREATE TEMPORARY TABLES,DROP,INDEX,ALTER ON moodle.* TO moodleuser@localhost IDENTIFIED BY 'yourpassword';
with your choice of 'moodleuser' & 'yourpassword'. Note them both!

- Update /var/www/moodle/config.php
dbuser & dbpass with the MySQL/MariaDB user & password for the 'moodle' database.

To then launch Moodle on your local machine:
 http://localhost/moodle
The first time demands the administrator username (default 'admin') and very complicated password; be sure to note these permanently!

Very basic testing, setting the system up to the point of defining a naked course all seemed to work fine.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK

Comment 6 claire robinson 2014-05-18 09:21:56 CEST

Well done Lewis.

Testing complete mga4 32 too

It's missing an advisory though David please.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK

Comment 7 David Walser 2014-05-18 16:34:20 CEST

Thanks everyone.  I expect to have an advisory tomorrow.

Comment 8 David Walser 2014-05-19 19:13:26 CEST

Details on the issues fixed in this round of Moodle updates were released:
http://openwall.com/lists/oss-security/2014/05/19/1

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.6.3, Session checking was not being performed correctly
in Assignment's quick-grading, allowing forged requests to be made
unknowingly by authenticated users (CVE-2014-0213).

In Moodle before 2.6.3, MoodleMobile web service tokens, created
automatically in login/token.php, were not expiring and were valid forever
(CVE-2014-0214).

In Moodle before 2.6.3, Some student details, including identities, were
included in assignment marking pages and would have been revealed to
screen readers or through code inspection (CVE-2014-0215).

In Moodle before 2.6.3, Access to files linked on HTML blocks on the My
home page was not being checked in the correct context, allowing access to
unauthenticated users (CVE-2014-0216).

In Moodle before 2.6.3, There was a lack of filtering in the URL
downloader repository that could have been exploited for XSS
(CVE-2014-0218).

The 2.4 branch of Moodle will no longer be supported as of approximately
June 2014, so the Moodle package has been upgraded to version 2.6.3 to fix
these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0215
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0218
https://moodle.org/mod/forum/discuss.php?d=260361
https://moodle.org/mod/forum/discuss.php?d=260362
https://moodle.org/mod/forum/discuss.php?d=260363
https://moodle.org/mod/forum/discuss.php?d=260364
https://moodle.org/mod/forum/discuss.php?d=260366
http://docs.moodle.org/dev/Moodle_2.4.10_release_notes
http://docs.moodle.org/dev/Moodle_2.6.3_release_notes

Comment 9 claire robinson 2014-05-19 19:29:22 CEST

Thanks David, advisory uploaded.

Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-05-19 21:06:09 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2014-0230.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-05-20 19:01:03 CEST

URL: (none) => http://lwn.net/Vulnerabilities/599629/