Bug 783532 (CVE-2012-0792, CVE-2012-0793, CVE-2012-0794, CVE-2012-0795, CVE-2012-0796, CVE-2012-0797, CVE-2012-0798, CVE-2012-0799, CVE-2012-0800, CVE-2012-0801)

Summary: moodle: multiple security fixes in 2.2.1, 2.1.4, 2.0.7, 1.9.16
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-02 19:03:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 783533, 783534    
Bug Blocks:    

Description Vincent Danen 2012-01-20 18:30:59 UTC 
A number of flaws have been fixed in new upstream Moodle 2.2.1 [1], 2.1.4
[2], 2.0.7 [3], and 1.9.16 [4] releases.  These do not have CVEs assigned
(request pending), and since Fedora/EPEL will rebase to the latest versions
of each branch, I'm summarizing them all here rather than creating a number
of separate bugs.

[1] http://docs.moodle.org/dev/Moodle_2.2.1_release_notes
[2] http://docs.moodle.org/dev/Moodle_2.1.4_release_notes
[3] http://docs.moodle.org/dev/Moodle_2.0.7_release_notes
[4] http://docs.moodle.org/dev/Moodle_1.9.16_release_notes


MSA-12-0001: Recaptcha transmission consistency issue
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=b608b227bac4efba76da43dabe9bc2e32fb8fa32
Reference: http://moodle.org/mod/forum/discuss.php?d=194008


MSA-12-0002: Personal information leak
Affects: 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=36b0ddeed45d0751508dcd9fa50f17fda43bae54
Reference: http://moodle.org/mod/forum/discuss.php?d=194009


MSA-12-0003: Added password protection
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=aa30d3e8ce0dd41d3d0f7dae856beb180fed1f83
Reference: http://moodle.org/mod/forum/discuss.php?d=194011


MSA-12-0004: Added profile image security
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5
Reference: http://moodle.org/mod/forum/discuss.php?d=194012


MSA-12-0005: Encryption enhancement
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=98456628a24bba25d336860d38a45b5a4e3895da
Reference:  http://moodle.org/mod/forum/discuss.php?d=194013


MSA-12-0006: Additional email address validation
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572
Reference: http://moodle.org/mod/forum/discuss.php?d=194014


MSA-12-0007: Email injection prevention
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9
Reference: http://moodle.org/mod/forum/discuss.php?d=194015


MSA-12-0008: Unsynchronised access via tokens
Affects: 2.2, 2.1.x, 2.0.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126
Reference: http://moodle.org/mod/forum/discuss.php?d=194016


MSA-12-0009: Role access issue
Affects: 2.2, 2.1.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469
Reference: http://moodle.org/mod/forum/discuss.php?d=194017


MSA-12-0010: Unauthorised access to session key
Affects: 2.1.x, 2.0.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334
Reference: http://moodle.org/mod/forum/discuss.php?d=194018


MSA-12-0011: Browser autofill password issue
Affects: 2.2, 2.1.x, 2.0.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=6e9989dbd3f261b2e1586ff77b0bf22fc7091485
Reference: http://moodle.org/mod/forum/discuss.php?d=194019


MSA-12-0012: Form validation issue
Affects: 2.2, 2.1.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48
Reference: http://moodle.org/mod/forum/discuss.php?d=194020
Comment 1 Vincent Danen 2012-01-20 18:34:11 UTC 
Created moodle tracking bugs for this issue

Affects: epel-all [bug 783533]
Affects: fedora-all [bug 783534]
Comment 2 Vincent Danen 2012-01-22 06:42:19 UTC 
The following CVEs were assigned:

CVE-2012-0792 Moodle MSA-12-0002: Personal information leak                                                                                                                                                                                                                     
CVE-2012-0793 Moodle MSA-12-0004: Added profile image security                                                                                                                                                                                                                  
CVE-2012-0794 Moodle MSA-12-0005: Encryption enhancement                                                                                                                                                                                                                        
CVE-2012-0795 Moodle MSA-12-0006: Additional email address validation                                                                                                                                                                                                           
CVE-2012-0796 Moodle MSA-12-0007: Email injection prevention                                                                                                                                                                                                                    
CVE-2012-0797 Moodle MSA-12-0008: Unsynchronised access via tokens                                                                                                                                                                                                              
CVE-2012-0798 Moodle MSA-12-0009: Role access issue                                                                                                                                                                                                                             
CVE-2012-0799 Moodle MSA-12-0010: Unauthorised access to session key                                                                                                                                                                                                            
CVE-2012-0800 Moodle MSA-12-0011: Browser autofill password issue                                                                                                                                                                                                               
CVE-2012-0801 Moodle MSA-12-0012: Form validation issue

MSA-12-0001 was deemed an enhancement with no security impact.

MSA-12-0003 was deemed a security enhancement to help prevent browsers from remembering a users password (not a flaw).
Comment 3 Fedora Update System 2012-02-02 17:21:23 UTC 
moodle-1.9.16-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2012-02-02 17:27:12 UTC 
moodle-2.0.7-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-02-09 18:45:32 UTC 
moodle-2.1.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.