Bug 964321 (CVE-2013-2079, CVE-2013-2080, CVE-2013-2081, CVE-2013-2082, CVE-2013-2083)

Summary: CVE-2013-2079 CVE-2013-2080 CVE-2013-2081 CVE-2013-2082 CVE-2013-2083 moodle: upstream 2.4.4, 2.3.7, and 2.2.10 fixes
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, jlieskov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 15:37:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 964322, 964324    
Bug Blocks:    

Description Vincent Danen 2013-05-17 21:07:00 UTC 
Moodle upstream has released upstream 2.4.4, 2.3.7, and 2.2.10 versions:

http://docs.moodle.org/dev/Moodle_2.2.10_release_notes
http://docs.moodle.org/dev/Moodle_2.3.7_release_notes
http://docs.moodle.org/dev/Moodle_2.4.4_release_notes

These releases contain unspecified security fixes, the nature of which will be public next week; as per the upstream announcements:

"A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version."
Comment 1 Vincent Danen 2013-05-17 21:08:19 UTC 
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 964322]
Affects: epel-all [bug 964324]
Comment 2 Jan Lieskovsky 2013-05-22 10:19:11 UTC 
Further issue details (http://www.openwall.com/lists/oss-security/2013/05/21/1) are as follows:

=======================================================================
MSA-13-0020: Capability issue in Assignment

Description:       The assignment module was not checking capabilities
                    for users downloading all assignments as a zip.
Issue summary:     Students can download assignments submitted by other
                    students
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed:    2.5, 2.4.4 and 2.3.7
Reported by:       Phillip Franks
Issue no.:         MDL-38443
CVE Identifier:    CVE-2013-2079
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443

=======================================================================
MSA-13-0021: Potential information leak in Gradebook

Description:       The Gradebook's Overview report was showing grade
                    totals that may have incorrectly included hidden
                    grades.
Issue summary:     The method for figuring out
                    showtotalsifcontainhidden on the overview report is
                    flawed
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4 and 2.3.7
Reported by:       Andrew Davis
Issue no.:         MDL-37475
CVE Identifier:    CVE-2013-2080
Workaround:        Ensure all courses have the same value for hiding
                    grades in the gradebook. This is set at
                    Administration > Grades > Course grade settings >
                    Hide totals if they contain hidden items
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475

=======================================================================
MSA-13-0022: Information leak in hub registration

Description:       When registering a site on a hub (not Moodle.net)
                    site information was being sent to the hub
                    regardless of settings chosen.
Issue summary:     Moodle send site information to a hub even though
                    it's unchecked
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       J�r�me Mouneyrac
Issue no.:         MDL-37822
CVE Identifier:    CVE-2013-2081
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822

=======================================================================
MSA-13-0023: Permission issue in blog comments

Description:       There was no check of permissions for viewing
                    comments on blog posts.
Issue summary:     Blog comment validation should verify that the user
                    can view a post.
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Dan Poltawski
Issue no.:         MDL-37245
CVE Identifier:    CVE-2013-2082
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245

=======================================================================
MSA-13-0024: Form filtering issue

Description:       Form elements named using a specific naming
                    scheme were not being filtered correctly
Issue summary:     Elements named foo[i] are not cleaned properly
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Dan Poltawski
Issue no.:         MDL-38885
CVE Identifier:    CVE-2013-2083
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885