Bug 17537

Summary: moodle new security issues fixed in 2.8.10
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/672824/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: moodle-2.8.9-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-01-19 18:57:33 CET 
Upstream has released new versions on January 11:
https://moodle.org/mod/forum/discuss.php?d=325820
https://docs.moodle.org/dev/Moodle_2.8.10_release_notes

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.8.10, web services core_enrol_get_course_enrolment_methods
and enrol_self_get_instance_info did not check user permission to access
hidden courses (CVE-2016-0724).

In Moodle before 2.8.10, search string in course management interface was not
escaped when being output creating potential for XSS attack (CVE-2016-0725).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0725
https://moodle.org/mod/forum/discuss.php?d=326205
https://moodle.org/mod/forum/discuss.php?d=326206
https://docs.moodle.org/dev/Moodle_2.8.10_release_notes
https://moodle.org/mod/forum/discuss.php?d=325820
========================

Updated packages in core/updates_testing:
========================
moodle-2.8.10-1.mga5

from moodle-2.8.10-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-19 18:57:44 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-01-19 20:09:37 CET 
Working fine on our production LMS at work, Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Dave Hodgins 2016-01-19 22:48:05 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2016-01-20 18:54:31 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0029.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-01-21 20:25:33 CET

URL: (none) => http://lwn.net/Vulnerabilities/672824/