14538 – moodle new security issues fixed in 2.6.6

Bug 14538 - moodle new security issues fixed in 2.6.6

Summary: moodle new security issues fixed in 2.6.6

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/622955/
Whiteboard:	MGA3TOO has_procedure MGA3-32-OK MGA4...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-11-13 22:54 CET by David Walser
Modified:	2014-11-24 20:45 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	moodle-2.6.5-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-11-13 22:54:17 CET

Upstream has released new versions on November 10:
https://moodle.org/mod/forum/discuss.php?d=274730

Details on the security issues fixed are not yet available, but likely will be next week (probably Monday) on the release notes pages:
https://docs.moodle.org/dev/Moodle_2.6.6_release_notes

Freeze push requested for Cauldron.

Updated packages uploaded Mageia 3 and Mageia 4.

I'll write an advisory once the details are available.

Updated packages in core/updates_testing:
========================
moodle-2.6.6-1.mga3
moodle-2.6.6-1.mga4

from SRPMS:
moodle-2.6.6-1.mga3.src.rpm
moodle-2.6.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2014-11-13 22:54:38 CET

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 David Walser 2014-11-13 23:55:55 CET

Working fine on our production Moodle server at work (Mageia 4 i586).

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Comment 3 David Walser 2014-11-17 14:53:23 CET

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.6.5, without forcing encoding, it was possible that UTF7
characters could be used to force cross-site scripts to AJAX scripts
(although this is unlikely on modern browsers and on most Moodle pages)
(MSA-14-0035).

In Moodle before 2.6.5, an XSS issue through $searchcourse in
mod/feedback/mapcourse.php, due to the last search string in the Feedback
module not being escaped in the search input field (CVE-2014-7830).

In Moodle before 2.6.5, the word list for temporary password generation was
short, therefore the pool of possible passwords was not big enough
(CVE-2014-7845).

In Moodle before 2.6.5, capability checks in the LTI module only checked
access to the course and not to the activity (CVE-2014-7832).

In Moodle before 2.6.5, group-level entries in Database activity module
became visible to users in other groups after being edited by a teacher
(CVE-2014-7833).

In Moodle before 2.6.5, unprivileged users could access the list of
available tags in the system (CVE-2014-7846).

In Moodle before 2.6.5, the script used to geo-map IP addresses was
available to unauthenticated users increasing server load when used by
other parties (CVE-2014-7847).

In Moodle before 2.6.5, when using the web service function for Forum
discussions, group permissions were not checked (CVE-2014-7834).

In Moodle before 2.6.5, by directly accessing an internal file, an
unauthenticated user can be shown an error message containing the file
system path of the Moodle install (CVE-2014-7848).

In Moodle before 2.6.5, if web service with file upload function was
available, user could upload XSS file to his profile picture area
(CVE-2014-7835).

In Moodle before 2.6.5, two files in the LTI module lacked a session key
check, potentially allowing cross-site request forgery (CVE-2014-7836).

In Moodle before 2.6.5, by tweaking URLs, users who were able to delete
pages in at least one Wiki activity in the course were able to delete pages
in other Wiki pages in the same course (CVE-2014-7837).

In Moodle before 2.6.5, set tracking script in the Forum module lacked a
session key check, potentially allowing cross-site request forgery
(CVE-2014-7838).

In Moodle before 2.6.5, session key check was missing on return page in
module LTI allowing attacker to include arbitrary message in URL query
string (MSA-14-0049).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7830
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7848
https://moodle.org/mod/forum/discuss.php?d=275146
https://moodle.org/mod/forum/discuss.php?d=275147
https://moodle.org/mod/forum/discuss.php?d=275152
https://moodle.org/mod/forum/discuss.php?d=275154
https://moodle.org/mod/forum/discuss.php?d=275155
https://moodle.org/mod/forum/discuss.php?d=275157
https://moodle.org/mod/forum/discuss.php?d=275158
https://moodle.org/mod/forum/discuss.php?d=275159
https://moodle.org/mod/forum/discuss.php?d=275160
https://moodle.org/mod/forum/discuss.php?d=275161
https://moodle.org/mod/forum/discuss.php?d=275162
https://moodle.org/mod/forum/discuss.php?d=275163
https://moodle.org/mod/forum/discuss.php?d=275164
https://moodle.org/mod/forum/discuss.php?d=275165
https://docs.moodle.org/dev/Moodle_2.6.6_release_notes
https://moodle.org/mod/forum/discuss.php?d=274730

Comment 4 David Walser 2014-11-17 15:44:42 CET

Public announcements were made here today:
http://openwall.com/lists/oss-security/2014/11/17/11

Comment 5 David Walser 2014-11-17 21:53:31 CET

Tested on Mageia 3 i586 with the PHP 5.4.35 update from Bug 14555.  Imported a course that I had exported from our production Moodle.  That worked fine.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 6 Rémi Verschelde 2014-11-19 14:45:21 CET

Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory

Comment 7 olivier charles 2014-11-20 20:57:22 CET

Testing on Mageia3-64 real HW

Current package :
---------------

# rpm -q moodle
moodle-2.6.5-1.mga3

Followed procedure mentionned in comment 1 
Could install and create, backup and restore a new course in moodle, log in logout

Updated to testing package :
--------------------------

# rpm -q moodle
moodle-2.6.6-1.mga3

Connecting back on moodle db showed message :

Upgrading Moodle database from version 2.6.5 (Build: 20140908) (2013111805.00) to 2.6.6 (Build: 20141110) (2013111806.00)
our Moodle files have been changed, and you are about to automatically upgrade your server to this version:
...
upgraded 3 plugins
could log in back previous course and alter it
could add a new course

Dropped database
and created a new moodle database
created new course etc.

All OK

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK advisory

Comment 8 Rémi Verschelde 2014-11-21 17:24:23 CET

Validating, it's been well tested already.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2014-11-22 11:55:21 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0483.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-24 20:45:21 CET

URL: (none) => http://lwn.net/Vulnerabilities/622955/

Note You need to log in before you can comment on or make changes to this bug.