Bug 18048

Summary: moodle new security issues fixed in 2.8.11
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/681393/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: moodle-2.8.10-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-21 13:17:58 CET 
Upstream has released new versions on March 14:
https://moodle.org/mod/forum/discuss.php?d=329783
https://docs.moodle.org/dev/Moodle_2.8.11_release_notes

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.8.11, teachers who otherwise were not supposed to see
students' emails could see them in the participants list (CVE-2016-2151).

In Moodle before 2.8.11, Moodle traditionally trusted content from external
DB, however it was decided that external datasources may not be aware of web
security practices and data could cause problems after importing to Moodle
(CVE-2016-2152).

In Moodle before 2.8.11, a user with higher permissions could be tricked into
clicking a link which would result in Reflected XSS in mod_data advanced
search (CVE-2016-2153).

In Moodle before 2.8.11, users without capability to view hidden courses but
with capability to subscribe to Event Monitor rules could see the names of
hidden courses (CVE-2016-2154).

In Moodle before 2.8.11, the Non-Editing Instructor role can edit the exclude
checkbox in the Single View grade report (CVE-2016-2155).

In Moodle before 2.8.11, users without the capability to view hidden
acitivites could still see associated calendar events via web services, via
the external function get_calendar_events (CVE-2016-2156).

In Moodle before 2.8.11, CSRF is possible on the Assignment plugin admin
page, however an exploit is unlikely to benefit anybody and can easily be
reversed (CVE-2016-2157).

In Moodle before 2.8.11, enumeration of course category details is possible
without authentication (CVE-2016-2158).

In Moodle before 2.8.11, students were able to add assignment submissions
after the due date through web service, via the external function
mod_assign_save_submission (CVE-2016-2159).

In Moodle before 2.8.11, when following external links that were added with
the _blank target, a referer header would be added (CVE-2016-2190).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2157
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2158
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2159
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2190
https://moodle.org/mod/forum/discuss.php?d=330173
https://moodle.org/mod/forum/discuss.php?d=330174
https://moodle.org/mod/forum/discuss.php?d=330175
https://moodle.org/mod/forum/discuss.php?d=330176
https://moodle.org/mod/forum/discuss.php?d=330177
https://moodle.org/mod/forum/discuss.php?d=330178
https://moodle.org/mod/forum/discuss.php?d=330179
https://moodle.org/mod/forum/discuss.php?d=330180
https://moodle.org/mod/forum/discuss.php?d=330181
https://moodle.org/mod/forum/discuss.php?d=330182
https://docs.moodle.org/dev/Moodle_2.8.11_release_notes
https://moodle.org/mod/forum/discuss.php?d=329783
========================

Updated packages in core/updates_testing:
========================
moodle-2.8.11-1.mga5

from moodle-2.8.11-1.mga5.src.rpm
Comment 1 David Walser 2016-03-21 13:18:11 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-03-21 13:18:22 CET 
Working fine on our production LMS at work, Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 3 claire robinson 2016-03-24 22:39:20 CET 
Validating. Advisory todo.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-03-25 06:35:01 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory

Comment 4 Mageia Robot 2016-03-25 07:39:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0122.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-03-28 16:52:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/681393/