Bug 206516 (CVE-2006-5129)

Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Product: [Fedora] Fedora Reporter: Ville Skyttä <scop>
Component: moodleAssignee: Mike McGrath <imlinux>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: extras-qa, fedora-security-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-27 14:09:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2006-09-14 19:53:31 UTC
Moodle 1.6.1 and earlier are reportedly vulnerable to:
- cross site scripting (CVE-2006-4784)
- SQL injection (CVE-2006-4785)
- sensitive information disclosure (CVE-2006-4786)

FE-4, FE-5 and devel apparently affected.

Comment 1 Jason Tibbitts 2006-09-14 20:21:39 UTC
At this time I'm having difficulty verifying that the 1.5.4 release is
vulnerable.  Secunia is still saying 1.6.x, and that other versions may be
vulnerable.  Moodle.org doesn't have anything to say about the matter other than
the 1.6.2 release indicating security fixes.  (The 1.5 branch is still
maintained, but shows no related changes.)

Comment 2 Mike McGrath 2006-09-15 02:33:16 UTC
I'll keep my eye open as well, I'll probably just update for update's sake
though there's some patches I don't fully understand being applied to that
packge.  (new maintainer)

Comment 3 Jason Tibbitts 2006-09-15 03:30:56 UTC
Let me know if you need assistance.  I have some experience with Moodle but no
longer use it here; I updated the package previously to deal with a security
issue but I have little interest in maintaining it in the long term.

I admit to being confused by the patches as well; I understand what they're
doing but I don't really understand why they need to be applied.  And of course
there's no documentation.  I'm beginning to think that we should require that
all patches have at least a line of comment in the spec file indicating what
they change and why they need to be applied.

Comment 5 Mike McGrath 2006-09-27 19:31:15 UTC
Actually I'd really appreciate that, I haven't had time to sit down and really
look at what the patches do.  I took this from ignacio because I felt it was
important enough to make sure it was maintained and because no one else wanted
it :D.  

tibbs: If you have some time and can help me out, by all means have at it.

I'm not against removing the patches to see what happens, people may not even be
using them.

Comment 6 Jason Tibbitts 2006-09-27 20:36:03 UTC
As far as I can tell, none of the CVEs in comment #4 apply to moodle 1.5.4.

Comment 7 Ville Skyttä 2006-10-10 18:24:59 UTC
Yet one more for 1.6.2: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5219

If this new doesn't affect the packaged versions and all the earlier reported 
ones have been verified to not affect them either, perhaps someone who has 
done the verification could close this bug?

Comment 8 Mike McGrath 2006-10-13 20:30:08 UTC
FYI, I've been working to update this to 1.6.3.  I'm going to release a version
to devel today.  FC[4-5] to follow.

Comment 9 Mike McGrath 2006-10-27 14:09:10 UTC
No one has complained, I'll be rebuilding FC4 and 5 immediately.