Bug 1183693 (CVE-2015-0211, CVE-2015-0212, CVE-2015-0213, CVE-2015-0214, CVE-2015-0215, CVE-2015-0216, CVE-2015-0217, CVE-2015-0218)

Summary:	CVE-2015-0211 CVE-2015-0212 CVE-2015-0213 CVE-2015-0214 CVE-2015-0215 CVE-2015-0216 CVE-2015-0217 CVE-2015-0218 moodle: new update fixes several security issues
Product:	[Other] Security Response	Reporter:	Vasyl Kaigorodov <vkaigoro>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	gwync
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	Moodle 2.8.2, 2.7.4 and 2.6.7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-08-22 15:37:21 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1183694, 1183695
Bug Blocks:

Description Vasyl Kaigorodov 2015-01-19 13:52:04 UTC

The following security notifications have now been made public:

==============================================================================
MSA-15-0001: Insufficient access check in LTI module

Description:       Absence of capability check in AJAX backend script could
                   allow any enrolled user to search the list of registered
                   tools
Issue summary:     mod/lti/ajax.php security problems
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Petr Skoda
Issue no.:         MDL-47920
CVE identifier:    CVE-2015-0211
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920

==============================================================================
MSA-15-0002: XSS vulnerability in course request pending approval page

Description:       Course summary on course request pending approval page was
                   displayed to the manager unescaped and could be used for
                   XSS attack
Issue summary:     XSS in course request pending approval page (Privilege
                   Escalation?)
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Skylar Kelty
Issue no.:         MDL-48368
Workaround:        Grant permission moodle/course:request only to trusted
                   users
CVE identifier:    CVE-2015-0212
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368

==============================================================================
MSA-15-0003: CSRF possible in Glossary module

Description:       Two files in the Glossary module lacked a session key check
                   potentially allowing cross-site request forgery
Issue summary:     Multiple CSRF in mod glossary
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Ankit Agarwal
Issue no.:         MDL-48106
CVE identifier:    CVE-2015-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106

==============================================================================
MSA-15-0004: Information leak through messaging functions in web-services

Description:       Through web-services it was possible to access
                   messaging-related functions such as people search even if
                   messaging is disabled on the site
Issue summary:     Messages external functions doesn't check if messaging is
                   enabled
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Juan Leyva
Issue no.:         MDL-48329
Workaround:        Disable web services or disable individual message-related
                   functions
CVE identifier:    CVE-2015-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329

==============================================================================
MSA-15-0005: Insufficient access check in calendar functions in web-services

Description:       Through web-services it was possible to get information
                   about calendar events which user did not have enough
                   permissions to see
Issue summary:     calendar/externallib.php lacks
                   self::validate_context($context);
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Petr Skoda
Issue no.:         MDL-48017
CVE identifier:    CVE-2015-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017

==============================================================================
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask

Description:       Users with capability to grade in Lesson module were not
                   reported as users with XSS risk but their feedback was
                   displayed without cleaning
Issue summary:     mod/lesson:grade capability missing RISK_XSS but essay
                   feedback is displayed with noclean=true
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.1
Versions fixed:    2.8.2
Reported by:       Damyon Wiese
Issue no.:         MDL-48034
CVE identifier:    CVE-2015-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034

==============================================================================
MSA-15-0007: ReDoS possible in the multimedia filter

Description:       Not optimal regular expression in the filter could be
                   exploited to create extra server load or make particular
                   page unavailable
Issue summary:     ReDOS in the multimedia filter
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Nicolas Martignoni
Issue no.:         MDL-48546
Workaround:        Disable multimedia filter
CVE identifier:    CVE-2015-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546

==============================================================================
MSA-15-0008: Forced logout through Shibboleth authentication plugin

Description:       It was possible to forge a request to logout users even
                   when not authenticated through Shibboleth
Issue summary:     Forced logout via auth/shibboleth/logout.php
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Petr Skoda
Issue no.:         MDL-47964
Workaround:        Deny access to file auth/shibboleth/logout.php in webserver
                   configuration
CVE identifier:    CVE-2015-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964

==============================================================================

Comment 1 Vasyl Kaigorodov 2015-01-19 13:52:27 UTC

Created moodle tracking bugs for this issue:

Affects: fedora-all [bug 1183694]
Affects: epel-6 [bug 1183695]