Bug 841953 (CVE-2012-3387, CVE-2012-3388, CVE-2012-3389, CVE-2012-3390, CVE-2012-3391, CVE-2012-3392, CVE-2012-3393, CVE-2012-3394, CVE-2012-3395, CVE-2012-3396, CVE-2012-3397, CVE-2012-3398)

Summary: CVE-2012-3387 CVE-2012-3388 CVE-2012-3389 CVE-2012-3390 CVE-2012-3391 CVE-2012-3392 CVE-2012-3393 CVE-2012-3394 CVE-2012-3395 CVE-2012-3396 CVE-2012-3397 CVE-2012-3398 moodle: upstream 2.3.1, 2.2.4, 2.1.7, 2.0.10, 1.9.19 security fixes
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 2.3.1, moodle 2.2.4, moodle 2.1.7, moodle 2.0.10, moodle 1.9.19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-18 03:12:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 824482, 841954    
Bug Blocks:    

Description Vincent Danen 2012-07-20 16:19:07 UTC 
Moodle upstream has released versions 2.3.1, 2.2.4, 2.1.7, 2.0.10, and 1.9.19 to fix the following security flaws:

CVE-2012-3387 Moodle: MSA-12-0039: File upload validation issue
CVE-2012-3388 Moodle: MSA-12-0040: Capabilities issue through caching
CVE-2012-3389 Moodle: MSA-12-0041: XSS issue in LTI module
CVE-2012-3390 Moodle: MSA-12-0042: File access issue in blocks
CVE-2012-3391 Moodle: MSA-12-0043: Early information access issue in forum
CVE-2012-3392 Moodle: MSA-12-0044: Capability check issue in forum subscriptions
CVE-2012-3393 Moodle: MSA-12-0045: Injection potential in admin for repositories
CVE-2012-3394 Moodle: MSA-12-0046: Insecure protocol redirection in LDAP authentication
CVE-2012-3395 Moodle: MSA-12-0047: SQL injection potential in Feedback module
CVE-2012-3396 Moodle: MSA-12-0048: Possible XSS in cohort administration
CVE-2012-3397 Moodle: MSA-12-0049: Group restricted activity displayed to all users
CVE-2012-3398 Moodle: MSA-12-0050: Potential DOS attack through database activity

The above is summarized, including affected releases for each flaw, and links to the fixes in git:

http://www.openwall.com/lists/oss-security/2012/07/17/1

Upstream release announcements:

http://docs.moodle.org/dev/Moodle_1.9.19_release_notes
http://docs.moodle.org/dev/Moodle_2.0.10_release_notes
http://docs.moodle.org/dev/Moodle_2.1.7_release_notes
http://docs.moodle.org/dev/Moodle_2.2.4_release_notes
http://docs.moodle.org/dev/Moodle_2.3.1_release_notes
Comment 1 Vincent Danen 2012-07-20 16:21:54 UTC 
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 841954]
Affects: epel-all [bug 824482]