Bug 11212 - moodle new security issues fixed in 2.4.6
Summary: moodle new security issues fixed in 2.4.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/567508/
Whiteboard: MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-09-10 21:30 CEST by David Walser
Modified: 2013-09-19 21:20 CEST (History)
3 users (show)

See Also:
Source RPM: moodle-2.4.5-1.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-09-10 21:30:03 CEST 
Moodle has released version 2.4.6 on September 9:
https://moodle.org/mod/forum/discuss.php?d=237413

The issues fixed in this release will be listed in the release notes:
http://docs.moodle.org/dev/Moodle_2.4.6_release_notes

The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.

In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron.  No changes have been made other than updating to 2.4.6.

For testing instructions, see:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Updated package in core/updates_testing:
moodle-2.4.6-1.mga3

from moodle-2.4.6-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2013-09-16 00:16:06 CEST 
Testing complete on both arches, just that moodle is working.

Waiting for the advisory before validating.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA3-64-OK MGA3-32-OK

Comment 2 David Walser 2013-09-16 16:45:47 CEST 
Thanks Dave!

Details and CVEs have been released:
http://openwall.com/lists/oss-security/2013/09/16/1

Note that the MSA-13-0032/CVE-2012-6087 issue had already been fixed locally in our package since it was first imported.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

Null characters were allowed in query strings in Moodle before 2.4.6, which
caused sql statements to terminate and fail, potentially allowing sql
injection in Moodle's SQL Server driver (CVE-2013-4313).

Links to external blogs were not being adequately cleaned in Moodle before
2.4.6, potentially allowing for XSS attacks (CVE-2013-4341).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4341
https://moodle.org/mod/forum/discuss.php?d=238396
https://moodle.org/mod/forum/discuss.php?d=238399
http://docs.moodle.org/dev/Moodle_2.4.6_release_notes
https://moodle.org/mod/forum/discuss.php?d=237413
========================

Updated packages in core/updates_testing:
========================
moodle-2.4.6-1.mga3

from moodle-2.4.6-1.mga3.src.rpm
Comment 3 claire robinson 2013-09-16 16:55:22 CEST 
Advisory uploaded, thanks David.

Validating

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2013-09-19 11:51:02 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0280.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-09-19 21:20:25 CEST

URL: (none) => http://lwn.net/Vulnerabilities/567508/
Note You need to log in before you can comment on or make changes to this bug.