Bug 824477 (CVE-2012-2353, CVE-2012-2354, CVE-2012-2355, CVE-2012-2356, CVE-2012-2357, CVE-2012-2358, CVE-2012-2359, CVE-2012-2360, CVE-2012-2361, CVE-2012-2362, CVE-2012-2363, CVE-2012-2364, CVE-2012-2365, CVE-2012-2366, CVE-2012-2367)

Summary: CVE-2012-2353 moodle: Upstream 2.2.3, 2.1.6, 2.0.9 and 1.9.18 fixes
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 15:37:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 824481, 824482    
Bug Blocks:    

Description Jan Lieskovsky 2012-05-23 14:52:41 UTC 
Moodle upstream has released upstream 2.2.3, 2.1.6, 2.0.9 and 1.9.18 versions:
[1] http://docs.moodle.org/dev/Moodle_2.2.3_release_notes
[2] http://docs.moodle.org/dev/Moodle_2.1.6_release_notes
[3] http://docs.moodle.org/dev/Moodle_2.0.9_release_notes
[4] http://docs.moodle.org/dev/Moodle_1.9.18_release_notes

correcting multiple security flaws (each of the releases different subset):

Summarizing post for the flaws (including relevant upstream patches
for each of them):
[5] http://www.openwall.com/lists/oss-security/2012/05/23/2
Comment 1 Jan Lieskovsky 2012-05-23 14:56:47 UTC 
The (shortened detail) list of security fixes:
==============================================

CVE-2012-2353 MSA-12-0024: Hidden information access issue
CVE-2012-2354 MSA-12-0025: Personal communication access issue
CVE-2012-2355 MSA-12-0026: Quiz capability issue
CVE-2012-2356 MSA-12-0027: Question bank capability issues
CVE-2012-2357 MSA-12-0028: Insecure authentication issue
CVE-2012-2358 MSA-12-0029: Information editing access issue
CVE-2012-2359 MSA-12-0030: Capability manipulation issue
CVE-2012-2360 MSA-12-0031: Cross-site scripting vulnerability in Wiki
CVE-2012-2361 MSA-12-0032: Cross-site scripting vulnerability in Web services
CVE-2012-2362 MSA-12-0033: Cross-site scripting vulnerability in Blog
CVE-2012-2363 MSA-12-0034: Potential SQL injection issue
CVE-2012-2364 MSA-12-0035: Cross-site scripting vulnerability in "download all"
CVE-2012-2365 MSA-12-0036: Cross-site scripting vulnerability in category identifier
CVE-2012-2366 MSA-12-0037: Write access issue in Database activity module
CVE-2012-2367 MSA-12-0038: Calendar event write permission issue
Comment 2 Jan Lieskovsky 2012-05-23 14:58:29 UTC 
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 824481]
Affects: epel-all [bug 824482]
Comment 3 Vincent Danen 2012-07-18 18:08:52 UTC 
Current release versions show this is fixed in all but EPEL5:

Fedora-16: http://koji.fedoraproject.org/packages/moodle/2.0.9/1.fc16
Fedora-17: http://koji.fedoraproject.org/packages/moodle/2.2.3/1.fc17
Fedora-Rawhide: http://koji.fedoraproject.org/packages/moodle/2.2.3/1.fc18
EPEL-5: http://koji.fedoraproject.org/packages/moodle/1.8.13/4.el5
EPEL-6: http://koji.fedoraproject.org/packages/moodle/2.1.6/1.el6