Bug 11212 - moodle new security issues fixed in 2.4.6
: moodle new security issues fixed in 2.4.6
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/567508/
: MGA3-64-OK MGA3-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-10 21:30 CEST by David Walser
Modified: 2013-09-19 21:20 CEST (History)
3 users (show)

See Also:
Source RPM: moodle-2.4.5-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-09-10 21:30:03 CEST
Moodle has released version 2.4.6 on September 9:
https://moodle.org/mod/forum/discuss.php?d=237413

The issues fixed in this release will be listed in the release notes:
http://docs.moodle.org/dev/Moodle_2.4.6_release_notes

The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.

In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron.  No changes have been made other than updating to 2.4.6.

For testing instructions, see:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Updated package in core/updates_testing:
moodle-2.4.6-1.mga3

from moodle-2.4.6-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2013-09-16 00:16:06 CEST
Testing complete on both arches, just that moodle is working.

Waiting for the advisory before validating.
Comment 2 David Walser 2013-09-16 16:45:47 CEST
Thanks Dave!

Details and CVEs have been released:
http://openwall.com/lists/oss-security/2013/09/16/1

Note that the MSA-13-0032/CVE-2012-6087 issue had already been fixed locally in our package since it was first imported.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

Null characters were allowed in query strings in Moodle before 2.4.6, which
caused sql statements to terminate and fail, potentially allowing sql
injection in Moodle's SQL Server driver (CVE-2013-4313).

Links to external blogs were not being adequately cleaned in Moodle before
2.4.6, potentially allowing for XSS attacks (CVE-2013-4341).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4341
https://moodle.org/mod/forum/discuss.php?d=238396
https://moodle.org/mod/forum/discuss.php?d=238399
http://docs.moodle.org/dev/Moodle_2.4.6_release_notes
https://moodle.org/mod/forum/discuss.php?d=237413
========================

Updated packages in core/updates_testing:
========================
moodle-2.4.6-1.mga3

from moodle-2.4.6-1.mga3.src.rpm
Comment 3 claire robinson 2013-09-16 16:55:22 CEST
Advisory uploaded, thanks David.

Validating

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 4 Thomas Backlund 2013-09-19 11:51:02 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0280.html

Note You need to log in before you can comment on or make changes to this bug.