Bug 16374

Summary: moodle new security issues fixed in 2.8.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/653503/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: moodle-2.8.6-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-07-13 19:36:34 CEST 
Upstream has released new versions on July 6:
https://moodle.org/mod/forum/discuss.php?d=316289

The security issues have been made public today (July 13):
http://www.openwall.com/lists/oss-security/2015/07/13/2

The Moodle 2.8.7 release notes are here:
https://docs.moodle.org/dev/Moodle_2.8.7_release_notes

Moodle 2.6 is no longer supported.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:


In Moodle before 2.8.7, phishing is possible when redirecting to external
site using referer headers in error messages (CVE-2015-3272).

In Moodle before 2.8.7, several web services returning user information did
not clean text in text custom profile fields, leading to possible XSS
(CVE-2015-3274).

In Moodle before 2.8.7, possible Javascript injection was discovered in the
SCORM module (CVE-2015-3275).

As Moodle 2.6 is no longer supported, users of this package on Mageia 4 are
advised to migrate to Mageia 5.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3274
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3275
https://moodle.org/mod/forum/discuss.php?d=316662
https://moodle.org/mod/forum/discuss.php?d=316664
https://moodle.org/mod/forum/discuss.php?d=316665
https://docs.moodle.org/dev/Moodle_2.8.7_release_notes
https://moodle.org/mod/forum/discuss.php?d=316289
========================

Updated packages in core/updates_testing:
========================
moodle-2.8.7-1.mga5

from moodle-2.8.7-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-07-13 19:36:52 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => has_procedure

Dave Hodgins 2015-07-28 17:12:13 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure => has_procedure advisory

Comment 2 Len Lawrence 2015-07-31 21:59:39 CEST 
Going to give this a go for mga5 x86_64.

Installed phpmyadmin and moodle.
Enabled core updates testing and installed the update candidate.
Checking out Claire's procedure now.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2015-07-31 22:01:04 CEST 
Sorry; David's procedure.
Comment 4 Len Lawrence 2015-07-31 22:21:38 CEST 
This is all foreign country to me but got as far as creating the database and user and failed like Claire in the browser.  systemctl restart httpd did the trick - have the start page in the browser right now.

Have to take a break.
Comment 5 Len Lawrence 2015-07-31 22:39:19 CEST 
Pased minimum system requirements, then successful checks on a huge number of parameters/properties/attributes(?).
Created user and assigned him my email address.  Could not get past the last page because it wanted a site name and I did not have a clue what it was talking about.
Comment 6 Len Lawrence 2015-08-01 00:45:25 CEST 
Supplied a random name and an abbreviation and proceeded to site administration.
Should I register? (in order to get feedback - like a welcome email)

And is this all that is required to test the update?
Comment 7 David Walser 2015-08-01 00:53:33 CEST 
It sounds like you've sufficiently tested it
Comment 8 Len Lawrence 2015-08-01 01:01:32 CEST 
Right then.  Shall keep the database settings but ignore site registration.  Marking this OK.
Comment 9 Len Lawrence 2015-08-01 01:04:58 CEST 
And thanks for the detailed procedure.  That streamlined the whole thing.

Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK

Comment 10 David Walser 2015-08-01 01:37:19 CEST 
Yeah, you don't want to do site registration, that's for public Moodle sites
Comment 11 claire robinson 2015-08-03 18:54:16 CEST 
Well done Len.

Noarch. Validating.

Please push to 5 updates.

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2015-08-03 22:56:09 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0302.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-04 22:32:54 CEST

URL: (none) => http://lwn.net/Vulnerabilities/653503/