Bug 12385 - moodle new security issues fixed in 2.4.8
Summary: moodle new security issues fixed in 2.4.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/583668/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-01-21 18:01 CET by David Walser
Modified: 2014-02-11 23:52 CET (History)
5 users (show)

See Also:
Source RPM: moodle-2.4.7-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-01-21 18:01:34 CET
Details for security issues fixed in Moodle 2.4.8 were released on January 20:
http://openwall.com/lists/oss-security/2014/01/20/1

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-21 18:01:47 CET

Status: NEW => ASSIGNED
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-31 19:30:37 CET
Fedora has issued an advisory for this on January 23:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html

URL: (none) => http://lwn.net/Vulnerabilities/583668/

Comment 2 David Walser 2014-02-05 23:32:03 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.8, some password changes on admin pages were being
recorded and shown to administrators in the config log report (CVE-2014-0008).

In Moodle before 2.4.8, users were able to log in as a user who in a is not
in the same group without the permission to see all groups (CVE-2014-0009).

In Moodle 2.4.8, custom profile fields and categories were open to deletion
without proper session checking, due to two Cross-site Request Forgery(CSRF)
vulnerabilities in /user/profile/index.php (CVE-2014-0010).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0010
https://moodle.org/mod/forum/discuss.php?d=252414
https://moodle.org/mod/forum/discuss.php?d=252415
https://moodle.org/mod/forum/discuss.php?d=252416
http://docs.moodle.org/dev/Moodle_2.4.8_release_notes
https://moodle.org/mod/forum/discuss.php?d=251856
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html
========================

Updated packages in core/updates_testing:
========================
moodle-2.4.8-1.mga3
moodle-2.4.8-1.mga4

from SRPMS:
moodle-2.4.8-1.mga3.src.rpm
moodle-2.4.8-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: luigiwalser => qa-bugs
Severity: normal => major

Comment 3 Samuel Verschelde 2014-02-10 16:33:49 CET
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10755#c2

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 Samuel Verschelde 2014-02-11 12:51:23 CET
I tried to follow the procedure in comment #3. I had to install apache in addition to the steps described there.

However, httpd won't start, fails with the following error (related to moodle):

Feb 11 12:29:04 localhost systemd[1]: Starting The Apache HTTP Server...
Feb 11 12:29:04 localhost httpd[18294]: AH00526: Syntax error on line 32 of /etc/httpd/conf/sites.d/moodle.conf:
Feb 11 12:29:04 localhost httpd[18294]: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the ...uration
Feb 11 12:29:04 localhost systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Feb 11 12:29:04 localhost httpd[18295]: AH00526: Syntax error on line 32 of /etc/httpd/conf/sites.d/moodle.conf:
Feb 11 12:29:04 localhost httpd[18295]: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the ...uration
Feb 11 12:29:04 localhost systemd[1]: Failed to start The Apache HTTP Server.
Feb 11 12:29:04 localhost systemd[1]: Unit httpd.service entered failed state

This is because apache-mod_php is missing. After installing it, it works.

Missing deps (or instructions) in moodle?
Comment 5 Samuel Verschelde 2014-02-11 12:56:40 CET
Apart from the missing dependency, seems to work ok in i586. I haven't tested the migration, I will do it in my 64 bits test.
Comment 6 Samuel Verschelde 2014-02-11 13:29:00 CET
Testing mga3 64 complete. Followed procedure with release (or updates) moodle before updating the package from updates testing. Then connected to moodle, followed the upgrade steps it asked me to follow, and all went well. Created a second course.

Not validating until we create a bug report for the dependency problem.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK

Comment 7 David Walser 2014-02-11 13:42:25 CET
It's not a dependency "problem."  The dependencies are the same in Fedora too, and would be most other places.  I do use Apache, but it's not the only webserver.
Comment 8 Samuel Verschelde 2014-02-11 14:17:32 CET
If it requires a webserver, shouldn't it require or at least suggest the "webserver" provides? I was not talking about requiring apache specifically.

As for apache-mod_php, I don't know what's the equivalent for other webservers nor if they have a common provides.

But this is out of scope for this update.
Comment 9 Lewis Smith 2014-02-11 15:50:56 CET
(In reply to Samuel VERSCHELDE from comment #8)
> If it requires a webserver, shouldn't it require or at least suggest the
> "webserver" provides? I was not talking about requiring apache specifically.
Yes, this should be on its own site
 http://docs.moodle.org/24/en/Installing_Moodle#Software
which mentions "Primarily Apache or IIS. Not fully tested (or supported) but should work are Lighttpd, Nginx, Cherokee, Zeus and LiteSpeed" and "PHP - The minimum version is currently 5.3.2. A number of extensions are required; see the PHP page for full details" but those are PHP *not* Apache extns.
Refer to MoodleDocs.

CC: (none) => lewyssmith

Comment 10 Lewis Smith 2014-02-11 16:10:28 CET
Back to Mageia 4 64-bit test on real hardware.
Summary of steps taken: Install from base (this is considerable):
- Apache
- apache-mod_php
- Mariadb
- Moodle    [moodle-2.4.7-1.mga4]
systemctl enable httpd.service
systemctl start httpd.service
systemctl enable mysqld.service
systemctl start mysqld.service
Then as Bug 10755 comment 2 mysql onwards. The setup is long & thorough.
Created myself as admin [attention to note well the username & fiddly password], and a 1-item course with myself subscribed. Logout.

In 'test repository mode', updated Moodle from Mageia Control Centre to
 moodle-2.4.8-1.mga4
On re-logging in it recognised it had been updated, plus a few extras. Just carrying on, all its updates went well, thorough but quick.

Then added something to the course, all worked fine (within the context of not knowing what to do!).

MGA4-64-OK

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK

Comment 11 Rémi Verschelde 2014-02-11 16:47:21 CET
Testing Mageia 4 i586.

CC: (none) => remi

Comment 12 Rémi Verschelde 2014-02-11 17:41:47 CET
Testing complete Mageia 4 i586, following the helpful procedure from comment 3 and with apache and apache-mod_php as pointed out by Stormi. I could set up everything a register a "QA Testing 101" course.

--

Validating update.

Could someone upload the advisory in comment 2 and a sysadmin push the update from core/updates_testing to core/updates for both Mageia 3 and 4?

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 13 Rémi Verschelde 2014-02-11 19:05:12 CET
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 14 Thomas Backlund 2014-02-11 23:52:30 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0053.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.