Bug 544766 (CVE-2009-4297, CVE-2009-4298, CVE-2009-4299, CVE-2009-4300, CVE-2009-4301, CVE-2009-4302, CVE-2009-4303, CVE-2009-4304, CVE-2009-4305)
| Summary: | Moodle: Multiple security fixes in 1.9.7 and 1.8.11 upstream releases | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | gwync |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://docs.moodle.org/en/Moodle_1.9.7_release_notes | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-03-29 10:07:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
From the quick look at latest Moodle versions, as shipped in Fedora releases of 10, 11, 12 and in Extra Packages for Enterprise Linux 4 (EPEL-4) and (EPEL-5) projects, implies these should be updated. Please fix. moodle-1.8.11-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/moodle-1.8.11-1.el5 moodle-1.9.7-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/moodle-1.9.7-1.fc12 moodle-1.8.11-1.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/moodle-1.8.11-1.el4 moodle-1.9.7-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/moodle-1.9.7-1.fc11 moodle-1.9.7-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/moodle-1.9.7-1.fc10 moodle-1.8.11-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. moodle-1.8.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. moodle-1.9.7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. moodle-1.9.7-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. moodle-1.9.7-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |
Moodle upstream has released latest stable versions (1.9.7 and 1.8.11), fixing multiple security issues. The list for 1.9.7 release: -------------------------- Security issues * MSA-09-0022 - CVE-2009-4297 Multiple CSRF problems fixed * MSA-09-0023 - CVE-2009-4298 Fixed user account disclosure in LAMS module * MSA-09-0024 - CVE-2009-4299 Fixed insufficient access control in Glossary module * MSA-09-0025 - CVE-2009-4300 Unneeded MD5 hashes removed from user table * MSA-09-0026 - CVE-2009-4301 Fixed invalid application access control in MNET interface * MSA-09-0027 - CVE-2009-4302 Ensured login information is always sent secured when using SSL for logins * MSA-09-0028 - CVE-2009-4303 Passwords and secrets are no longer ever saved in backups, new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data, new checks in the security overview report help admins identify dangerous backup permissions * MSA-09-0029 - CVE-2009-4304 A strong password policy is now enabled by default, enabling password salt in encouraged in config.php, admins are forced to change password after the upgrade and admins can force password change on other users via Bulk user actions * MSA-09-0030 - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins * MSA-09-0031 - CVE-2009-4305 Fixed SQL injection in SCORM module The list for 1.8.11 release: ---------------------------- Security issues * MSA-09-0022 - CVE-2009-4297 Multiple CSRF problems fixed * MSA-09-0023 - CVE-2009-4298 Fixed user account disclosure in LAMS module * MSA-09-0024 - CVE-2009-4299 Fixed insufficient access control in Glossary module * MSA-09-0025 - CVE-2009-4300 Unneeded MD5 hashes removed from user table * MSA-09-0026 - CVE-2009-4301 Fixed invalid application access control in MNET interface * MSA-09-0027 - CVE-2009-4302 Ensured login information is always sent secured when using SSL for logins * MSA-09-0028 - CVE-2009-4303 Passwords and secrets are no longer ever saved in backups, new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data * MSA-09-0029 - CVE-2009-4304 Enabling a password salt in encouraged in config.php and admins are forced to change password after the upgrade * MSA-09-0031 - CVE-2009-4305 Fixed SQL injection in SCORM module References: ----------- http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://docs.moodle.org/en/Moodle_1.8.11_release_notes CVE Request: ------------ http://www.openwall.com/lists/oss-security/2009/12/06/1