Bug 14538

Summary: moodle new security issues fixed in 2.6.6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/622955/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK advisory
Source RPM: moodle-2.6.5-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-11-13 22:54:17 CET 
Upstream has released new versions on November 10:
https://moodle.org/mod/forum/discuss.php?d=274730

Details on the security issues fixed are not yet available, but likely will be next week (probably Monday) on the release notes pages:
https://docs.moodle.org/dev/Moodle_2.6.6_release_notes

Freeze push requested for Cauldron.

Updated packages uploaded Mageia 3 and Mageia 4.

I'll write an advisory once the details are available.

Updated packages in core/updates_testing:
========================
moodle-2.6.6-1.mga3
moodle-2.6.6-1.mga4

from SRPMS:
moodle-2.6.6-1.mga3.src.rpm
moodle-2.6.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-11-13 22:54:38 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 David Walser 2014-11-13 23:55:55 CET 
Working fine on our production Moodle server at work (Mageia 4 i586).

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Comment 3 David Walser 2014-11-17 14:53:23 CET 
Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.6.5, without forcing encoding, it was possible that UTF7
characters could be used to force cross-site scripts to AJAX scripts
(although this is unlikely on modern browsers and on most Moodle pages)
(MSA-14-0035).

In Moodle before 2.6.5, an XSS issue through $searchcourse in
mod/feedback/mapcourse.php, due to the last search string in the Feedback
module not being escaped in the search input field (CVE-2014-7830).

In Moodle before 2.6.5, the word list for temporary password generation was
short, therefore the pool of possible passwords was not big enough
(CVE-2014-7845).

In Moodle before 2.6.5, capability checks in the LTI module only checked
access to the course and not to the activity (CVE-2014-7832).

In Moodle before 2.6.5, group-level entries in Database activity module
became visible to users in other groups after being edited by a teacher
(CVE-2014-7833).

In Moodle before 2.6.5, unprivileged users could access the list of
available tags in the system (CVE-2014-7846).

In Moodle before 2.6.5, the script used to geo-map IP addresses was
available to unauthenticated users increasing server load when used by
other parties (CVE-2014-7847).

In Moodle before 2.6.5, when using the web service function for Forum
discussions, group permissions were not checked (CVE-2014-7834).

In Moodle before 2.6.5, by directly accessing an internal file, an
unauthenticated user can be shown an error message containing the file
system path of the Moodle install (CVE-2014-7848).

In Moodle before 2.6.5, if web service with file upload function was
available, user could upload XSS file to his profile picture area
(CVE-2014-7835).

In Moodle before 2.6.5, two files in the LTI module lacked a session key
check, potentially allowing cross-site request forgery (CVE-2014-7836).

In Moodle before 2.6.5, by tweaking URLs, users who were able to delete
pages in at least one Wiki activity in the course were able to delete pages
in other Wiki pages in the same course (CVE-2014-7837).

In Moodle before 2.6.5, set tracking script in the Forum module lacked a
session key check, potentially allowing cross-site request forgery
(CVE-2014-7838).

In Moodle before 2.6.5, session key check was missing on return page in
module LTI allowing attacker to include arbitrary message in URL query
string (MSA-14-0049).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7830
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7848
https://moodle.org/mod/forum/discuss.php?d=275146
https://moodle.org/mod/forum/discuss.php?d=275147
https://moodle.org/mod/forum/discuss.php?d=275152
https://moodle.org/mod/forum/discuss.php?d=275154
https://moodle.org/mod/forum/discuss.php?d=275155
https://moodle.org/mod/forum/discuss.php?d=275157
https://moodle.org/mod/forum/discuss.php?d=275158
https://moodle.org/mod/forum/discuss.php?d=275159
https://moodle.org/mod/forum/discuss.php?d=275160
https://moodle.org/mod/forum/discuss.php?d=275161
https://moodle.org/mod/forum/discuss.php?d=275162
https://moodle.org/mod/forum/discuss.php?d=275163
https://moodle.org/mod/forum/discuss.php?d=275164
https://moodle.org/mod/forum/discuss.php?d=275165
https://docs.moodle.org/dev/Moodle_2.6.6_release_notes
https://moodle.org/mod/forum/discuss.php?d=274730
Comment 4 David Walser 2014-11-17 15:44:42 CET 
Public announcements were made here today:
http://openwall.com/lists/oss-security/2014/11/17/11
Comment 5 David Walser 2014-11-17 21:53:31 CET 
Tested on Mageia 3 i586 with the PHP 5.4.35 update from Bug 14555.  Imported a course that I had exported from our production Moodle.  That worked fine.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 6 Rémi Verschelde 2014-11-19 14:45:21 CET 
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory

Comment 7 olivier charles 2014-11-20 20:57:22 CET 
Testing on Mageia3-64 real HW

Current package :
---------------

# rpm -q moodle
moodle-2.6.5-1.mga3

Followed procedure mentionned in comment 1 
Could install and create, backup and restore a new course in moodle, log in logout

Updated to testing package :
--------------------------

# rpm -q moodle
moodle-2.6.6-1.mga3

Connecting back on moodle db showed message :

Upgrading Moodle database from version 2.6.5 (Build: 20140908) (2013111805.00) to 2.6.6 (Build: 20141110) (2013111806.00)
our Moodle files have been changed, and you are about to automatically upgrade your server to this version:
...
upgraded 3 plugins
could log in back previous course and alter it
could add a new course

Dropped database
and created a new moodle database
created new course etc.

All OK

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK advisory

Comment 8 Rémi Verschelde 2014-11-21 17:24:23 CET 
Validating, it's been well tested already.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2014-11-22 11:55:21 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0483.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-24 20:45:21 CET

URL: (none) => http://lwn.net/Vulnerabilities/622955/