Bug 10755 - moodle new security issues fixed in 2.4.5
Summary: moodle new security issues fixed in 2.4.5
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/560021/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Keywords: validated_update
Depends on:
Reported: 2013-07-10 23:29 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
1 user (show)

See Also:
Source RPM: moodle-2.4.4-1.1.mga3.src.rpm
Status comment:


Description David Walser 2013-07-10 23:29:49 CEST
Moodle has released version 2.4.5 on July 8:

The issues fixed in this release will be listed in the release notes:

The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.

In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron.  No changes have been made other than updating to 2.4.5.

Updated package in core/updates_testing:

from moodle-2.4.5-1.mga3.src.rpm


Steps to Reproduce:
Comment 1 David Walser 2013-07-16 00:34:09 CEST
For testing instructions, see:


Updated moodle package fix security vulnerabilities:

Flash files distributed with the YUI library in Moodle before 2.4.5 may have
allowed for cross-site scripting attacks (MSA-13-0025).

Privacy settings for the IMS-LTI (External tool) module in Moodle before
2.4.5 were not able to be changed so personal information was always
transferred (MSA-13-0026).

Users were able to access a daemon-mode Chat activity in Moodle before 2.4.5
without the required capability (CVE-2013-2242).

It was possible to determine answers from ID values in Lesson activity
matching questions in Moodle before 2.4.5 (CVE-2013-2243).

Conditional access rule values for user fields were able to contain unescaped
HTML/JS that would be output to users in Moodle before 2.4.5 (CVE-2013-2244).

When impersonating another user using RSS tokens in Moodle before 2.4.5, an
error was displayed, but block information relevant to the person being
impersonated was shown (CVE-2013-2245).

The Feedback module in Moodle before 2.4.5 was showing personal information 
to users without the needed capability (CVE-2013-2246).


Severity: normal => major

Comment 2 claire robinson 2013-07-16 12:37:48 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3

To get this up and running, it's similar to other web app packages.

Simplest way:
urpmi mariadb
systemctl enable mysqld.service
systemctl start mysqld.service
mysql -u root 
mysql> create database moodle;
mysql> create user 'moodle'@'localhost' identified by '<PASSWORD>';
mysql> grant all on moodle.* to 'moodle'@'localhost';
mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> exit;

Then, edit /var/www/moodle/config.php, and in the empty single quotes for dbuser and dbpass, put 'moodle' for dbuser (or whatever user you created in the create user command in mysql), and the password you used in the create user mysql command in for dbpass.

Then browse to http://localhost/moodle to complete the setup.

There's a lot more documentation on using moodle at:
claire robinson 2013-07-16 12:38:10 CEST

Whiteboard: (none) => has_procedure

Comment 3 claire robinson 2013-07-16 12:43:21 CEST
Sorry David, I didn't notice you'd already given a link.

Testing mga3 64
Comment 4 claire robinson 2013-07-16 13:43:31 CEST
Installed and configured with the admin user and created a sample course.

Installed the update candidate and it then offered to upgrade the database and one plugin, I thought I'd remember it's name but I don't :\

All OK after doing so, the login and course are still present.

Testing complete mga3 64

Whiteboard: has_procedure => has_procedure mga3-64-ok

Comment 5 claire robinson 2013-07-18 13:31:52 CEST
Testing mga3 32
Comment 6 claire robinson 2013-07-18 13:55:31 CEST
Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 7 claire robinson 2013-07-18 14:01:16 CEST
Validating. Advisory from comment 0 uploaded.

Could sysadmin please push from 3 core/updates_testing to core/updates


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Nicolas Vigier 2013-07-21 11:36:08 CEST

CC: (none) => boklm
Resolution: (none) => FIXED

David Walser 2013-07-22 19:33:06 CEST

URL: (none) => http://lwn.net/Vulnerabilities/560021/

Nicolas Vigier 2014-05-08 18:05:42 CEST

CC: boklm => (none)

Note You need to log in before you can comment on or make changes to this bug.