Moodle 1.6.1 and earlier are reportedly vulnerable to:
- cross site scripting (CVE-2006-4784)
- SQL injection (CVE-2006-4785)
- sensitive information disclosure (CVE-2006-4786)
FE-4, FE-5 and devel apparently affected.
At this time I'm having difficulty verifying that the 1.5.4 release is
vulnerable. Secunia is still saying 1.6.x, and that other versions may be
vulnerable. Moodle.org doesn't have anything to say about the matter other than
the 1.6.2 release indicating security fixes. (The 1.5 branch is still
maintained, but shows no related changes.)
I'll keep my eye open as well, I'll probably just update for update's sake
though there's some patches I don't fully understand being applied to that
packge. (new maintainer)
Let me know if you need assistance. I have some experience with Moodle but no
longer use it here; I updated the package previously to deal with a security
issue but I have little interest in maintaining it in the long term.
I admit to being confused by the patches as well; I understand what they're
doing but I don't really understand why they need to be applied. And of course
there's no documentation. I'm beginning to think that we should require that
all patches have at least a line of comment in the spec file indicating what
they change and why they need to be applied.
More issues reported mostly against 1.6.1 and earlier or 1.6.2 and earlier:
Actually I'd really appreciate that, I haven't had time to sit down and really
look at what the patches do. I took this from ignacio because I felt it was
important enough to make sure it was maintained and because no one else wanted
tibbs: If you have some time and can help me out, by all means have at it.
I'm not against removing the patches to see what happens, people may not even be
As far as I can tell, none of the CVEs in comment #4 apply to moodle 1.5.4.
Yet one more for 1.6.2: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5219
If this new doesn't affect the packaged versions and all the earlier reported
ones have been verified to not affect them either, perhaps someone who has
done the verification could close this bug?
FYI, I've been working to update this to 1.6.3. I'm going to release a version
to devel today. FC[4-5] to follow.
No one has complained, I'll be rebuilding FC4 and 5 immediately.