Bug 783532 - (CVE-2012-0792, CVE-2012-0793, CVE-2012-0794, CVE-2012-0795, CVE-2012-0796, CVE-2012-0797, CVE-2012-0798, CVE-2012-0799, CVE-2012-0800, CVE-2012-0801) moodle: multiple security fixes in 2.2.1, 2.1.4, 2.0.7, 1.9.16
moodle: multiple security fixes in 2.2.1, 2.1.4, 2.0.7, 1.9.16
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120109,repor...
: Security
Depends On: 783533 783534
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-20 13:30 EST by Vincent Danen
Modified: 2012-04-02 15:03 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-02 15:03:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-01-20 13:30:59 EST
A number of flaws have been fixed in new upstream Moodle 2.2.1 [1], 2.1.4
[2], 2.0.7 [3], and 1.9.16 [4] releases.  These do not have CVEs assigned
(request pending), and since Fedora/EPEL will rebase to the latest versions
of each branch, I'm summarizing them all here rather than creating a number
of separate bugs.

[1] http://docs.moodle.org/dev/Moodle_2.2.1_release_notes
[2] http://docs.moodle.org/dev/Moodle_2.1.4_release_notes
[3] http://docs.moodle.org/dev/Moodle_2.0.7_release_notes
[4] http://docs.moodle.org/dev/Moodle_1.9.16_release_notes


MSA-12-0001: Recaptcha transmission consistency issue
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=b608b227bac4efba76da43dabe9bc2e32fb8fa32
Reference: http://moodle.org/mod/forum/discuss.php?d=194008


MSA-12-0002: Personal information leak
Affects: 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=36b0ddeed45d0751508dcd9fa50f17fda43bae54
Reference: http://moodle.org/mod/forum/discuss.php?d=194009


MSA-12-0003: Added password protection
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=aa30d3e8ce0dd41d3d0f7dae856beb180fed1f83
Reference: http://moodle.org/mod/forum/discuss.php?d=194011


MSA-12-0004: Added profile image security
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5
Reference: http://moodle.org/mod/forum/discuss.php?d=194012


MSA-12-0005: Encryption enhancement
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=98456628a24bba25d336860d38a45b5a4e3895da
Reference:  http://moodle.org/mod/forum/discuss.php?d=194013


MSA-12-0006: Additional email address validation
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572
Reference: http://moodle.org/mod/forum/discuss.php?d=194014


MSA-12-0007: Email injection prevention
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9
Reference: http://moodle.org/mod/forum/discuss.php?d=194015


MSA-12-0008: Unsynchronised access via tokens
Affects: 2.2, 2.1.x, 2.0.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126
Reference: http://moodle.org/mod/forum/discuss.php?d=194016


MSA-12-0009: Role access issue
Affects: 2.2, 2.1.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469
Reference: http://moodle.org/mod/forum/discuss.php?d=194017


MSA-12-0010: Unauthorised access to session key
Affects: 2.1.x, 2.0.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334
Reference: http://moodle.org/mod/forum/discuss.php?d=194018


MSA-12-0011: Browser autofill password issue
Affects: 2.2, 2.1.x, 2.0.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=6e9989dbd3f261b2e1586ff77b0bf22fc7091485
Reference: http://moodle.org/mod/forum/discuss.php?d=194019


MSA-12-0012: Form validation issue
Affects: 2.2, 2.1.x
Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48
Reference: http://moodle.org/mod/forum/discuss.php?d=194020
Comment 1 Vincent Danen 2012-01-20 13:34:11 EST
Created moodle tracking bugs for this issue

Affects: epel-all [bug 783533]
Affects: fedora-all [bug 783534]
Comment 2 Vincent Danen 2012-01-22 01:42:19 EST
The following CVEs were assigned:

CVE-2012-0792 Moodle MSA-12-0002: Personal information leak                                                                                                                                                                                                                     
CVE-2012-0793 Moodle MSA-12-0004: Added profile image security                                                                                                                                                                                                                  
CVE-2012-0794 Moodle MSA-12-0005: Encryption enhancement                                                                                                                                                                                                                        
CVE-2012-0795 Moodle MSA-12-0006: Additional email address validation                                                                                                                                                                                                           
CVE-2012-0796 Moodle MSA-12-0007: Email injection prevention                                                                                                                                                                                                                    
CVE-2012-0797 Moodle MSA-12-0008: Unsynchronised access via tokens                                                                                                                                                                                                              
CVE-2012-0798 Moodle MSA-12-0009: Role access issue                                                                                                                                                                                                                             
CVE-2012-0799 Moodle MSA-12-0010: Unauthorised access to session key                                                                                                                                                                                                            
CVE-2012-0800 Moodle MSA-12-0011: Browser autofill password issue                                                                                                                                                                                                               
CVE-2012-0801 Moodle MSA-12-0012: Form validation issue

MSA-12-0001 was deemed an enhancement with no security impact.

MSA-12-0003 was deemed a security enhancement to help prevent browsers from remembering a users password (not a flaw).
Comment 3 Fedora Update System 2012-02-02 12:21:23 EST
moodle-1.9.16-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2012-02-02 12:27:12 EST
moodle-2.0.7-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-02-09 13:45:32 EST
moodle-2.1.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.