Bug 544766 - (CVE-2009-4297, CVE-2009-4298, CVE-2009-4299, CVE-2009-4300, CVE-2009-4301, CVE-2009-4302, CVE-2009-4303, CVE-2009-4304, CVE-2009-4305) Moodle: Multiple security fixes in 1.9.7 and 1.8.11 upstream releases
Moodle: Multiple security fixes in 1.9.7 and 1.8.11 upstream releases
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://docs.moodle.org/en/Moodle_1.9....
impact=moderate,source=debian,reporte...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-06 07:45 EST by Jan Lieskovsky
Modified: 2010-03-29 06:07 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 06:07:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-12-06 07:45:51 EST
Moodle upstream has released latest stable versions (1.9.7 and 1.8.11),
fixing multiple security issues.

The list for 1.9.7 release:
--------------------------
 Security issues

    * MSA-09-0022 - CVE-2009-4297 Multiple CSRF problems fixed
    * MSA-09-0023 - CVE-2009-4298 Fixed user account disclosure in LAMS module
    * MSA-09-0024 - CVE-2009-4299 Fixed insufficient access control in
                    Glossary module
    * MSA-09-0025 - CVE-2009-4300 Unneeded MD5 hashes removed from user table
    * MSA-09-0026 - CVE-2009-4301 Fixed invalid application access control
                    in MNET interface
    * MSA-09-0027 - CVE-2009-4302 Ensured login information is always sent 
                    secured when using SSL for logins
    * MSA-09-0028 - CVE-2009-4303 Passwords and secrets are no longer ever
                    saved in backups, new backup capabilities
                    moodle/backup:userinfo and 
                    moodle/restore:userinfo for controlling who can
                    backup/restore user data, new checks in the security
                    overview report help admins identify dangerous backup 
                    permissions
    * MSA-09-0029 - CVE-2009-4304 A strong password policy is now enabled by
                    default, enabling password salt in encouraged in
                    config.php, admins are forced to change password after
                    the upgrade and admins can force password change on other
                    users via Bulk user actions
    * MSA-09-0030 - New detection of insecure Flash player plugins, Moodle
                    won't serve Flash to insecure plugins
    * MSA-09-0031 - CVE-2009-4305 Fixed SQL injection in SCORM module 

The list for 1.8.11 release:
----------------------------
 Security issues

    * MSA-09-0022 - CVE-2009-4297 Multiple CSRF problems fixed
    * MSA-09-0023 - CVE-2009-4298  Fixed user account disclosure in LAMS
                    module
    * MSA-09-0024 - CVE-2009-4299 Fixed insufficient access control in Glossary
                    module
    * MSA-09-0025 - CVE-2009-4300 Unneeded MD5 hashes removed from user table
    * MSA-09-0026 - CVE-2009-4301 Fixed invalid application access control in 
                    MNET interface
    * MSA-09-0027 - CVE-2009-4302 Ensured login information is always sent 
                    secured when using SSL for logins
    * MSA-09-0028 - CVE-2009-4303 Passwords and secrets are no longer ever
                    saved in backups, new backup capabilities 
                    moodle/backup:userinfo and 
                    moodle/restore:userinfo for controlling who can 
                    backup/restore user data
    * MSA-09-0029 - CVE-2009-4304 Enabling a password salt in encouraged in 
                    config.php and admins are forced to change password after
                    the upgrade          
    * MSA-09-0031 - CVE-2009-4305 Fixed SQL injection in SCORM module 

References:
-----------
http://docs.moodle.org/en/Moodle_1.9.7_release_notes
http://docs.moodle.org/en/Moodle_1.8.11_release_notes

CVE Request:
------------
http://www.openwall.com/lists/oss-security/2009/12/06/1
Comment 1 Jan Lieskovsky 2009-12-06 07:49:33 EST
From the quick look at latest Moodle versions, as shipped in Fedora releases
of 10, 11, 12 and in Extra Packages for Enterprise Linux 4 (EPEL-4) and
(EPEL-5) projects, implies these should be updated.

Please fix.
Comment 2 Fedora Update System 2009-12-08 15:46:07 EST
moodle-1.8.11-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/moodle-1.8.11-1.el5
Comment 3 Fedora Update System 2009-12-08 15:46:12 EST
moodle-1.9.7-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/moodle-1.9.7-1.fc12
Comment 4 Fedora Update System 2009-12-08 15:46:18 EST
moodle-1.8.11-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/moodle-1.8.11-1.el4
Comment 5 Fedora Update System 2009-12-08 15:46:23 EST
moodle-1.9.7-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/moodle-1.9.7-1.fc11
Comment 6 Fedora Update System 2009-12-08 15:46:27 EST
moodle-1.9.7-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/moodle-1.9.7-1.fc10
Comment 7 Fedora Update System 2009-12-09 23:01:54 EST
moodle-1.8.11-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-12-09 23:02:18 EST
moodle-1.8.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-12-11 13:12:52 EST
moodle-1.9.7-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-12-11 13:17:46 EST
moodle-1.9.7-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2009-12-11 13:21:34 EST
moodle-1.9.7-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.