Bug 578811 (CVE-2010-1613, CVE-2010-1614, CVE-2010-1615, CVE-2010-1616, CVE-2010-1617, CVE-2010-1618, CVE-2010-1619)
Summary: | CVE-2010-1613 CVE-2010-1614 CVE-2010-1615 CVE-2010-1616 CVE-2010-1617 CVE-2010-1618 CVE-2010-1619 Moodle: Multiple security fixes in 1.8.12 upstream release | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | eric.eisenhart, gwync, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://docs.moodle.org/en/Moodle_1.8.12_release_notes | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-10 15:55:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2010-04-01 12:49:38 UTC
Though current Fedora versions of moodle has been already upgraded to v1.9.8 (thanks Jon), these issues still affect the versions of the moodle package, as present within EPEL-4 and EPEL-5 repositories. Please fix. moodle-1.8.12-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/moodle-1.8.12-1.el5 moodle-1.8.12-1.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/moodle-1.8.12-1.el4 moodle-1.8.12-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. moodle-1.8.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. MITRE has assigned the following CVEs for these issues (as noted in http://www.openwall.com/lists/oss-security/2010/04/29/10): >MSA-10-0009: Session fixation prevention now turned on by default Use CVE-2010-1613 >MSA-10-0008: Persistent XSS when using Login-as feature >MSA-10-0007: Reflective Cross Site Scripting (XSS) in the Moodle >Global Search Engine These two are combined into a single CVE. Use CVE-2010-1614 >MSA-10-0006: SQL injection in Wiki module >MSA-10-0005: Incorrect validation of forms data These two are combined into a single CVE. Use CVE-2010-1615 >MSA-10-0004: Improved access control in course restore Use CVE-2010-1616 >MSA-10-0003: Disclosure of full user names Use CVE-2010-1617 >MSA-10-0002: XSS vulnerabilty in the phpcas module Use CVE-2010-1618 >MSA-10-0001: Vulnerability in KSES text cleaning Use CVE-2010-1619 |