This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 605809 (CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231)

Summary: CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231 moodle: multiple security fixes in upstream 1.9.9/1.8.13
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, limburgher
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20100608,reported=20100618,source=debian,fedora-all/moodle=affected/impact=moderate/cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N/
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-18 14:57:06 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 605810    
Bug Blocks:    

Description Vincent Danen 2010-06-18 16:11:50 EDT
Moodle upstream has released v1.9.9 and v1.8.13:

http://docs.moodle.org/en/Moodle_1.9.9_release_notes
http://docs.moodle.org/en/Moodle_1.8.13_release_notes

Which address the following issues:

* MSA-10-0010 Persistent Cross Site Scripting vulnerability in the MNET access control interface
* MSA-10-0011 Cross Site Scripting vulnerability in blog/index.php
* MSA-10-0012 KSES Security Filter Bypassing vulnerability
* MSA-10-0013 Potential Cross Site Scripting vulnerability in Quiz reports 

These would affect Fedora (currently 1.9.8) and EPEL (currently 1.8.12).
Comment 1 Vincent Danen 2010-06-18 16:15:16 EDT
CVE request here: http://www.openwall.com/lists/oss-security/2010/06/18/4
Comment 2 Vincent Danen 2010-06-18 16:15:44 EDT
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 605810]
Comment 3 Jan Lieskovsky 2010-06-21 14:58:17 EDT
Following CVE identifiers has been assigned to these issues:
(http://www.openwall.com/lists/oss-security/2010/06/21/2)

* MSA-10-0010 Persistent Cross Site Scripting vulnerability in the MNET access
  control interface => CVE-2010-2228

* MSA-10-0011 Cross Site Scripting vulnerability in blog/index.php =>
  CVE-2010-2229 

* MSA-10-0012 KSES Security Filter Bypassing vulnerability => 
  CVE-2010-2230

* MSA-10-0013 Potential Cross Site Scripting vulnerability in Quiz reports =>
  CVE-2010-2231
Comment 4 Fedora Update System 2010-06-22 15:24:40 EDT
moodle-1.9.9-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/moodle-1.9.9-1.fc11
Comment 5 Fedora Update System 2010-06-22 15:24:53 EDT
moodle-1.8.13-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/moodle-1.8.13-1.el5
Comment 6 Fedora Update System 2010-06-22 15:25:02 EDT
moodle-1.8.13-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/moodle-1.8.13-1.el4
Comment 7 Fedora Update System 2010-06-22 15:25:10 EDT
moodle-1.9.9-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/moodle-1.9.9-1.fc12
Comment 8 Fedora Update System 2010-06-22 15:25:19 EDT
moodle-1.9.9-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/moodle-1.9.9-1.fc13
Comment 9 Fedora Update System 2010-06-23 13:40:17 EDT
moodle-1.9.9-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-06-23 13:41:57 EDT
moodle-1.9.9-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2010-06-23 13:55:17 EDT
moodle-1.9.9-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-06-23 18:08:29 EDT
moodle-1.8.13-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-06-23 18:09:00 EDT
moodle-1.8.13-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.