Bug 206516 (CVE-2006-5129)
Summary: | CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ville Skyttä <scop> |
Component: | moodle | Assignee: | Mike McGrath <imlinux> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | extras-qa, fedora-security-list |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-10-27 14:09:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ville Skyttä
2006-09-14 19:53:31 UTC
At this time I'm having difficulty verifying that the 1.5.4 release is vulnerable. Secunia is still saying 1.6.x, and that other versions may be vulnerable. Moodle.org doesn't have anything to say about the matter other than the 1.6.2 release indicating security fixes. (The 1.5 branch is still maintained, but shows no related changes.) I'll keep my eye open as well, I'll probably just update for update's sake though there's some patches I don't fully understand being applied to that packge. (new maintainer) Let me know if you need assistance. I have some experience with Moodle but no longer use it here; I updated the package previously to deal with a security issue but I have little interest in maintaining it in the long term. I admit to being confused by the patches as well; I understand what they're doing but I don't really understand why they need to be applied. And of course there's no documentation. I'm beginning to think that we should require that all patches have at least a line of comment in the spec file indicating what they change and why they need to be applied. More issues reported mostly against 1.6.1 and earlier or 1.6.2 and earlier: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4943 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4942 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4941 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4940 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4939 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4938 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4937 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4936 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4935 Actually I'd really appreciate that, I haven't had time to sit down and really look at what the patches do. I took this from ignacio because I felt it was important enough to make sure it was maintained and because no one else wanted it :D. tibbs: If you have some time and can help me out, by all means have at it. I'm not against removing the patches to see what happens, people may not even be using them. As far as I can tell, none of the CVEs in comment #4 apply to moodle 1.5.4. Yet one more for 1.6.2: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5219 If this new doesn't affect the packaged versions and all the earlier reported ones have been verified to not affect them either, perhaps someone who has done the verification could close this bug? FYI, I've been working to update this to 1.6.3. I'm going to release a version to devel today. FC[4-5] to follow. No one has complained, I'll be rebuilding FC4 and 5 immediately. |