Bug 578811 (CVE-2010-1613, CVE-2010-1614, CVE-2010-1615, CVE-2010-1616, CVE-2010-1617, CVE-2010-1618, CVE-2010-1619)

Summary: CVE-2010-1613 CVE-2010-1614 CVE-2010-1615 CVE-2010-1616 CVE-2010-1617 CVE-2010-1618 CVE-2010-1619 Moodle: Multiple security fixes in 1.8.12 upstream release
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: eric.eisenhart, gwync, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://docs.moodle.org/en/Moodle_1.8.12_release_notes
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-10 15:55:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-04-01 12:49:38 UTC
Moodle upstream has released latest v1.9.8 and v.1.8.12
versions:
  [1] http://docs.moodle.org/en/Moodle_1.9.8_release_notes
  [2] http://docs.moodle.org/en/Moodle_1.8.12_release_notes

addressing multiple security issues (from [2]):

    * MSA-10-0001 Vulnerability in KSES text cleaning
    * MSA-10-0002 XSS vulnerabilty in the phpcas module
    * MSA-10-0003 Disclosure of full user names
    * MSA-10-0005 Incorrect validation of forms data
    * MSA-10-0006 SQL injection in Wiki module
    * MSA-10-0007 Reflective Cross Site Scripting (XSS) in the Moodle
                  Global Search Engine
    * MSA-10-0008 Persistent XSS when using Login-as feature
    * MSA-10-0009 Session fixation prevention now turned on by default 

CVE Request:
  [3] http://www.openwall.com/lists/oss-security/2010/04/01/1

Comment 1 Jan Lieskovsky 2010-04-01 12:52:24 UTC
Though current Fedora versions of moodle has been already
upgraded to v1.9.8 (thanks Jon), these issues still affect
the versions of the moodle package, as present within
EPEL-4 and EPEL-5 repositories.

Please fix.

Comment 2 Fedora Update System 2010-04-01 17:59:39 UTC
moodle-1.8.12-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/moodle-1.8.12-1.el5

Comment 3 Fedora Update System 2010-04-01 17:59:44 UTC
moodle-1.8.12-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/moodle-1.8.12-1.el4

Comment 4 Fedora Update System 2010-04-02 02:39:43 UTC
moodle-1.8.12-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2010-04-02 02:39:53 UTC
moodle-1.8.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vincent Danen 2010-06-10 15:55:51 UTC
MITRE has assigned the following CVEs for these issues (as noted in http://www.openwall.com/lists/oss-security/2010/04/29/10):

>MSA-10-0009: Session fixation prevention now turned on by default

Use CVE-2010-1613

>MSA-10-0008: Persistent XSS when using Login-as feature
>MSA-10-0007: Reflective Cross Site Scripting (XSS) in the Moodle
>Global Search Engine

These two are combined into a single CVE.

Use CVE-2010-1614

>MSA-10-0006: SQL injection in Wiki module
>MSA-10-0005: Incorrect validation of forms data

These two are combined into a single CVE.

Use CVE-2010-1615

>MSA-10-0004: Improved access control in course restore

Use CVE-2010-1616

>MSA-10-0003: Disclosure of full user names

Use CVE-2010-1617

>MSA-10-0002: XSS vulnerabilty in the phpcas module

Use CVE-2010-1618

>MSA-10-0001: Vulnerability in KSES text cleaning

Use CVE-2010-1619