10755 – moodle new security issues fixed in 2.4.5

Bug 10755 - moodle new security issues fixed in 2.4.5

Summary: moodle new security issues fixed in 2.4.5

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/560021/
Whiteboard:	has_procedure mga3-64-ok mga3-32-ok
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-07-10 23:29 CEST by David Walser
Modified:	2014-05-08 18:05 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	moodle-2.4.4-1.1.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-07-10 23:29:49 CEST

Moodle has released version 2.4.5 on July 8:
https://moodle.org/mod/forum/discuss.php?d=232108

The issues fixed in this release will be listed in the release notes:
http://docs.moodle.org/dev/Moodle_2.4.5_release_notes

The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.

In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron.  No changes have been made other than updating to 2.4.5.

Updated package in core/updates_testing:
moodle-2.4.5-1.mga3

from moodle-2.4.5-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2013-07-16 00:34:09 CEST

For testing instructions, see:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Advisory:
========================

Updated moodle package fix security vulnerabilities:

Flash files distributed with the YUI library in Moodle before 2.4.5 may have
allowed for cross-site scripting attacks (MSA-13-0025).

Privacy settings for the IMS-LTI (External tool) module in Moodle before
2.4.5 were not able to be changed so personal information was always
transferred (MSA-13-0026).

Users were able to access a daemon-mode Chat activity in Moodle before 2.4.5
without the required capability (CVE-2013-2242).

It was possible to determine answers from ID values in Lesson activity
matching questions in Moodle before 2.4.5 (CVE-2013-2243).

Conditional access rule values for user fields were able to contain unescaped
HTML/JS that would be output to users in Moodle before 2.4.5 (CVE-2013-2244).

When impersonating another user using RSS tokens in Moodle before 2.4.5, an
error was displayed, but block information relevant to the person being
impersonated was shown (CVE-2013-2245).

The Feedback module in Moodle before 2.4.5 was showing personal information 
to users without the needed capability (CVE-2013-2246).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2246
https://moodle.org/mod/forum/discuss.php?d=232496
https://moodle.org/mod/forum/discuss.php?d=232497
https://moodle.org/mod/forum/discuss.php?d=232498
https://moodle.org/mod/forum/discuss.php?d=232500
https://moodle.org/mod/forum/discuss.php?d=232501
https://moodle.org/mod/forum/discuss.php?d=232502
https://moodle.org/mod/forum/discuss.php?d=232503
http://docs.moodle.org/dev/Moodle_2.4.5_release_notes
https://moodle.org/mod/forum/discuss.php?d=232108

Severity: normal => major

Comment 2 claire robinson 2013-07-16 12:37:48 CEST

Procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3

To get this up and running, it's similar to other web app packages.

Simplest way:
urpmi mariadb
systemctl enable mysqld.service
systemctl start mysqld.service
mysql -u root 
mysql> create database moodle;
mysql> create user 'moodle'@'localhost' identified by '<PASSWORD>';
mysql> grant all on moodle.* to 'moodle'@'localhost';
mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> exit;

Then, edit /var/www/moodle/config.php, and in the empty single quotes for dbuser and dbpass, put 'moodle' for dbuser (or whatever user you created in the create user command in mysql), and the password you used in the create user mysql command in for dbpass.

Then browse to http://localhost/moodle to complete the setup.

There's a lot more documentation on using moodle at:
http://docs.moodle.org/24/en/Main_page

claire robinson 2013-07-16 12:38:10 CEST

Whiteboard: (none) => has_procedure

Comment 3 claire robinson 2013-07-16 12:43:21 CEST

Sorry David, I didn't notice you'd already given a link.

Testing mga3 64

Comment 4 claire robinson 2013-07-16 13:43:31 CEST

Installed and configured with the admin user and created a sample course.

Installed the update candidate and it then offered to upgrade the database and one plugin, I thought I'd remember it's name but I don't :\

All OK after doing so, the login and course are still present.

Testing complete mga3 64

Whiteboard: has_procedure => has_procedure mga3-64-ok

Comment 5 claire robinson 2013-07-18 13:31:52 CEST

Testing mga3 32

Comment 6 claire robinson 2013-07-18 13:55:31 CEST

Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 7 claire robinson 2013-07-18 14:01:16 CEST

Validating. Advisory from comment 0 uploaded.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Nicolas Vigier 2013-07-21 11:36:08 CEST

http://advisories.mageia.org/MGASA-2013-0217.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

David Walser 2013-07-22 19:33:06 CEST

URL: (none) => http://lwn.net/Vulnerabilities/560021/

Nicolas Vigier 2014-05-08 18:05:42 CEST

CC: boklm => (none)

Note You need to log in before you can comment on or make changes to this bug.