Bug 15084

Summary: moodle new security issues fixed in 2.6.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/630070/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: moodle-2.6.6-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-19 17:20:23 CET 
Upstream has released new versions on January 12:
https://moodle.org/mod/forum/discuss.php?d=278176

The security issues were made public today (January 19):
http://openwall.com/lists/oss-security/2015/01/19/1

Freeze push requested for Cauldron.

Updated package uploaded for Mageia 4.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.6.7, absence of a capability check in AJAX backend script
in the LTI module could allow any enrolled user to search the list of
registered tools (CVE-2015-0211).

In Moodle before 2.6.7, the course summary on course request pending approval
page was displayed to the manager unescaped and could be used for XSS attack
(CVE-2015-0212).

In Moodle before 2.6.7, two files in the Glossary module lacked a session key
check potentially allowing cross-site request forgery (CVE-2015-0213).

In Moodle before 2.6.7, through web-services it was possible to access
messaging-related functions such as people search even if messaging is
disabled on the site (CVE-2015-0214).

In Moodle before 2.6.7, through web-services it was possible to get
information about calendar events which user did not have enough permissions
to see (CVE-2015-0215).

In Moodle before 2.6.7, non-optimal regular expression in the multimedia
filter could be exploited to create extra server load or make particular page
unavailable, resulting in a denial of service (CVE-2015-0217).

In Moodle before 2.6.7, it was possible to forge a request to logout users
even when not authenticated through Shibboleth (CVE-2015-0218).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0218
https://moodle.org/mod/forum/discuss.php?d=278611
https://moodle.org/mod/forum/discuss.php?d=278612
https://moodle.org/mod/forum/discuss.php?d=278613
https://moodle.org/mod/forum/discuss.php?d=278614
https://moodle.org/mod/forum/discuss.php?d=278615
https://moodle.org/mod/forum/discuss.php?d=278617
https://moodle.org/mod/forum/discuss.php?d=278618
https://docs.moodle.org/dev/Moodle_2.6.7_release_notes
https://moodle.org/mod/forum/discuss.php?d=278176
========================

Updated packages in core/updates_testing:
========================
moodle-2.6.7-1.mga3
moodle-2.6.7-1.mga4

from SRPMS:
moodle-2.6.7-1.mga3.src.rpm
moodle-2.6.7-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-01-19 17:20:42 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => has_procedure

Comment 2 olivier charles 2015-01-19 21:29:23 CET 
Testing on Mageia4x64 real hardware following procedure mentioned in Comment 1

From current package :
--------------------
moodle-2.6.6-1.mga4
(don't know why, in MCC, latest version shown was moodle-2.6.3-1.mga4, had to urpmi to get this version)


After creating database with mysqld commands, proceeded to install moodle.
Once installed, could create a new course, log in and out, upload a file, backup, restore ...
All OK

To updated testing package :
--------------------------
moodle-2.6.7-1.mga4

Went to :
http://localhost/moodle
which showed :
Upgrading Moodle database from version 2.6.6 (Build: 20141110) (2013111806.00) to 2.6.7 (Build: 20150112) (2013111807.00)
Proceeded to upgrade.
Could connect back to previous course, make some changes, log in an out, backup, restore...

Dropped moodle database and user
Recreated moodle database from scratch and performed a new installation
Created a new course.

All ok

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 3 David Walser 2015-01-20 13:55:31 CET 
Working fine on our production Moodle server at work, Mageia 4 i586.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 4 claire robinson 2015-01-20 15:39:38 CET 
Validating. Advisory uploaded (minus mga3 package)

Please push to 4 updates

Thanks

Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-01-20 15:58:08 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0032.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-01-20 20:15:48 CET

URL: (none) => http://lwn.net/Vulnerabilities/630070/