Bug 15244

Summary: moodle new security issue fixed in 2.6.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/632710/
Whiteboard: has_procedure advisory MGA4-32-OK mga4-64-ok
Source RPM: moodle-2.6.7-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-09 16:39:39 CET 
Upstream has released new versions on February 2:
https://moodle.org/mod/forum/discuss.php?d=279502

The security issue was made public today (February 9):
http://openwall.com/lists/oss-security/2015/02/09/2

A CVE was requested on oss-security for the security issue before the Moodle notification was made public, so there's a duplicate CVE for this issue:
http://openwall.com/lists/oss-security/2015/02/09/5

MITRE decided to use the one they had issued on the list, rather than the one Moodle privately had.  Hence, the CVE in our advisory doesn't currently match the upstream one.  We'll change this if there's an objection to it from upstream.

Freeze push requested for Cauldron.

Updated package uploaded for Mageia 4.

Advisory:
========================

Updated moodle package fixes security vulnerability:

In Moodle before 2.6.8, parameter "file" passed to scripts serving JS was not
always cleaned from including "../" in the path, allowing to read files
located outside of moodle directory. All OS's are affected, but especially
vulnerable are Windows servers (CVE-2015-1493).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1493
https://moodle.org/mod/forum/discuss.php?d=279956
https://docs.moodle.org/dev/Moodle_2.6.8_release_notes
https://moodle.org/mod/forum/discuss.php?d=279502
http://openwall.com/lists/oss-security/2015/02/09/5
========================

Updated packages in core/updates_testing:
========================
moodle-2.6.8-1.mga4

from moodle-2.6.8-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-02-09 16:39:56 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-02-09 16:40:18 CET 
Working fine on our production Moodle server at work, Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 claire robinson 2015-02-09 18:03:53 CET 
Testing complete mga4 64

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok

Comment 4 claire robinson 2015-02-09 18:37:08 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-02-09 22:44:54 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0057.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-02-10 18:26:14 CET

URL: (none) => http://lwn.net/Vulnerabilities/632710/