Bug 10755 - moodle new security issues fixed in 2.4.5
: moodle new security issues fixed in 2.4.5
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/560021/
: has_procedure mga3-64-ok mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-10 23:29 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
1 user (show)

See Also:
Source RPM: moodle-2.4.4-1.1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-07-10 23:29:49 CEST
Moodle has released version 2.4.5 on July 8:
https://moodle.org/mod/forum/discuss.php?d=232108

The issues fixed in this release will be listed in the release notes:
http://docs.moodle.org/dev/Moodle_2.4.5_release_notes

The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.

In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron.  No changes have been made other than updating to 2.4.5.

Updated package in core/updates_testing:
moodle-2.4.5-1.mga3

from moodle-2.4.5-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-16 00:34:09 CEST
For testing instructions, see:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Advisory:
========================

Updated moodle package fix security vulnerabilities:

Flash files distributed with the YUI library in Moodle before 2.4.5 may have
allowed for cross-site scripting attacks (MSA-13-0025).

Privacy settings for the IMS-LTI (External tool) module in Moodle before
2.4.5 were not able to be changed so personal information was always
transferred (MSA-13-0026).

Users were able to access a daemon-mode Chat activity in Moodle before 2.4.5
without the required capability (CVE-2013-2242).

It was possible to determine answers from ID values in Lesson activity
matching questions in Moodle before 2.4.5 (CVE-2013-2243).

Conditional access rule values for user fields were able to contain unescaped
HTML/JS that would be output to users in Moodle before 2.4.5 (CVE-2013-2244).

When impersonating another user using RSS tokens in Moodle before 2.4.5, an
error was displayed, but block information relevant to the person being
impersonated was shown (CVE-2013-2245).

The Feedback module in Moodle before 2.4.5 was showing personal information 
to users without the needed capability (CVE-2013-2246).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2246
https://moodle.org/mod/forum/discuss.php?d=232496
https://moodle.org/mod/forum/discuss.php?d=232497
https://moodle.org/mod/forum/discuss.php?d=232498
https://moodle.org/mod/forum/discuss.php?d=232500
https://moodle.org/mod/forum/discuss.php?d=232501
https://moodle.org/mod/forum/discuss.php?d=232502
https://moodle.org/mod/forum/discuss.php?d=232503
http://docs.moodle.org/dev/Moodle_2.4.5_release_notes
https://moodle.org/mod/forum/discuss.php?d=232108
Comment 2 claire robinson 2013-07-16 12:37:48 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3

To get this up and running, it's similar to other web app packages.

Simplest way:
urpmi mariadb
systemctl enable mysqld.service
systemctl start mysqld.service
mysql -u root 
mysql> create database moodle;
mysql> create user 'moodle'@'localhost' identified by '<PASSWORD>';
mysql> grant all on moodle.* to 'moodle'@'localhost';
mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> exit;

Then, edit /var/www/moodle/config.php, and in the empty single quotes for dbuser and dbpass, put 'moodle' for dbuser (or whatever user you created in the create user command in mysql), and the password you used in the create user mysql command in for dbpass.

Then browse to http://localhost/moodle to complete the setup.

There's a lot more documentation on using moodle at:
http://docs.moodle.org/24/en/Main_page
Comment 3 claire robinson 2013-07-16 12:43:21 CEST
Sorry David, I didn't notice you'd already given a link.

Testing mga3 64
Comment 4 claire robinson 2013-07-16 13:43:31 CEST
Installed and configured with the admin user and created a sample course.

Installed the update candidate and it then offered to upgrade the database and one plugin, I thought I'd remember it's name but I don't :\

All OK after doing so, the login and course are still present.

Testing complete mga3 64
Comment 5 claire robinson 2013-07-18 13:31:52 CEST
Testing mga3 32
Comment 6 claire robinson 2013-07-18 13:55:31 CEST
Testing complete mga3 32
Comment 7 claire robinson 2013-07-18 14:01:16 CEST
Validating. Advisory from comment 0 uploaded.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks!
Comment 8 Nicolas Vigier 2013-07-21 11:36:08 CEST
http://advisories.mageia.org/MGASA-2013-0217.html

Note You need to log in before you can comment on or make changes to this bug.