Bug 15909 - moodle new security issues fixed in 2.6.11
Summary: moodle new security issues fixed in 2.6.11
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/645052/
Whiteboard: has_procedure advisory MGA4-32-OK mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-05-11 20:40 CEST by David Walser
Modified: 2015-05-19 19:11 CEST (History)
1 user (show)

See Also:
Source RPM: moodle-2.6.10-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-05-11 20:40:08 CEST
Upstream has released new versions today (May 11):
https://moodle.org/mod/forum/discuss.php?d=313322

The security details will be made public in a week.

The 2.6.11 release notes will be here:
https://docs.moodle.org/dev/Moodle_2.6.11_release_notes

Freeze push requested for Cauldron.

Updated package uploaded for Mageia 4.

Advisory to come later.

Updated packages in core/updates_testing:
========================
moodle-2.6.11-1.mga4

from moodle-2.6.11-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-11 20:40:20 CEST
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-05-11 20:46:19 CEST
Working fine on our production Moodle server, Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 claire robinson 2015-05-12 18:26:06 CEST
Testing complete mga4 64

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok

Comment 4 claire robinson 2015-05-12 18:28:12 CEST
Need an advisory David please.
Comment 5 claire robinson 2015-05-13 16:53:31 CEST
Waiting on upstream for more details so adding feedback marker for now.

Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure feedback MGA4-32-OK mga4-64-ok

Comment 6 David Walser 2015-05-18 14:20:50 CEST
Details have been published:
http://openwall.com/lists/oss-security/2015/05/18/1

This can be validated now.

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.6.11, leaving gradebook feedback is a trusted action and
such capabilities in other modules already have an XSS mask, 'mod/quiz:grade'
was missing this flag (CVE-2015-3174).

In Moodle before 2.6.11, some error messages display a button to return to
the previous page. Redirecting to non-local referer should not be allowed as
it can potentially be used for phising (CVE-2015-3175).

In Moodle before 2.6.11, on sites with enabled self-registration, not
registered users can retrieve fullname of registered users if they know their
usernames (CVE-2015-3176).

In Moodle before 2.6.11, if a user who is not XSS-trusted attempts to insert
a script as part of the input text, it will be cleaned when displayed on the
Moodle website but may be displayed uncleaned in the external application
because external_format_text() cleans and formats text incorrectly when
returning it from Web Services (CVE-2015-3178).

In Moodle before 2.6.11, when self-registration is enabled and a user's
account was suspended after creating the account but before actually
confirming it, the user is still able to login when confirming their email,
but only once (CVE-2015-3179).

In Moodle before 2.6.11, if a user is enrolled in the course but his
enrollment is suspended, they can not access the course but still were able
to see the course structure in the navigation block (CVE-2015-3180).

In Moodle before 2.6.11, users with the revoked capability
'moodle/user:manageownfiles' are still able to upload private files using a
deprecated function in Web Services (CVE-2015-3181).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3181
https://moodle.org/mod/forum/discuss.php?d=313681
https://moodle.org/mod/forum/discuss.php?d=313682
https://moodle.org/mod/forum/discuss.php?d=313683
https://moodle.org/mod/forum/discuss.php?d=313685
https://moodle.org/mod/forum/discuss.php?d=313686
https://moodle.org/mod/forum/discuss.php?d=313687
https://moodle.org/mod/forum/discuss.php?d=313688
https://docs.moodle.org/dev/Moodle_2.6.11_release_notes
https://moodle.org/mod/forum/discuss.php?d=313322

Whiteboard: has_procedure feedback MGA4-32-OK mga4-64-ok => has_procedure MGA4-32-OK mga4-64-ok

Comment 7 claire robinson 2015-05-18 15:11:38 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-18 21:08:54 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0229.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-19 19:11:12 CEST

URL: (none) => http://lwn.net/Vulnerabilities/645052/


Note You need to log in before you can comment on or make changes to this bug.