Bug 15244 - moodle new security issue fixed in 2.6.8
Summary: moodle new security issue fixed in 2.6.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/632710/
Whiteboard: has_procedure advisory MGA4-32-OK mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-02-09 16:39 CET by David Walser
Modified: 2015-02-10 18:26 CET (History)
1 user (show)

See Also:
Source RPM: moodle-2.6.7-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-02-09 16:39:39 CET 
Upstream has released new versions on February 2:
https://moodle.org/mod/forum/discuss.php?d=279502

The security issue was made public today (February 9):
http://openwall.com/lists/oss-security/2015/02/09/2

A CVE was requested on oss-security for the security issue before the Moodle notification was made public, so there's a duplicate CVE for this issue:
http://openwall.com/lists/oss-security/2015/02/09/5

MITRE decided to use the one they had issued on the list, rather than the one Moodle privately had.  Hence, the CVE in our advisory doesn't currently match the upstream one.  We'll change this if there's an objection to it from upstream.

Freeze push requested for Cauldron.

Updated package uploaded for Mageia 4.

Advisory:
========================

Updated moodle package fixes security vulnerability:

In Moodle before 2.6.8, parameter "file" passed to scripts serving JS was not
always cleaned from including "../" in the path, allowing to read files
located outside of moodle directory. All OS's are affected, but especially
vulnerable are Windows servers (CVE-2015-1493).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1493
https://moodle.org/mod/forum/discuss.php?d=279956
https://docs.moodle.org/dev/Moodle_2.6.8_release_notes
https://moodle.org/mod/forum/discuss.php?d=279502
http://openwall.com/lists/oss-security/2015/02/09/5
========================

Updated packages in core/updates_testing:
========================
moodle-2.6.8-1.mga4

from moodle-2.6.8-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-02-09 16:39:56 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-02-09 16:40:18 CET 
Working fine on our production Moodle server at work, Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 claire robinson 2015-02-09 18:03:53 CET 
Testing complete mga4 64

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok

Comment 4 claire robinson 2015-02-09 18:37:08 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-02-09 22:44:54 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0057.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-02-10 18:26:14 CET

URL: (none) => http://lwn.net/Vulnerabilities/632710/
Note You need to log in before you can comment on or make changes to this bug.