A number of flaws have been fixed in new upstream Moodle 2.2.1 [1], 2.1.4 [2], 2.0.7 [3], and 1.9.16 [4] releases. These do not have CVEs assigned (request pending), and since Fedora/EPEL will rebase to the latest versions of each branch, I'm summarizing them all here rather than creating a number of separate bugs. [1] http://docs.moodle.org/dev/Moodle_2.2.1_release_notes [2] http://docs.moodle.org/dev/Moodle_2.1.4_release_notes [3] http://docs.moodle.org/dev/Moodle_2.0.7_release_notes [4] http://docs.moodle.org/dev/Moodle_1.9.16_release_notes MSA-12-0001: Recaptcha transmission consistency issue Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=b608b227bac4efba76da43dabe9bc2e32fb8fa32 Reference: http://moodle.org/mod/forum/discuss.php?d=194008 MSA-12-0002: Personal information leak Affects: 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=36b0ddeed45d0751508dcd9fa50f17fda43bae54 Reference: http://moodle.org/mod/forum/discuss.php?d=194009 MSA-12-0003: Added password protection Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=aa30d3e8ce0dd41d3d0f7dae856beb180fed1f83 Reference: http://moodle.org/mod/forum/discuss.php?d=194011 MSA-12-0004: Added profile image security Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5 Reference: http://moodle.org/mod/forum/discuss.php?d=194012 MSA-12-0005: Encryption enhancement Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=98456628a24bba25d336860d38a45b5a4e3895da Reference: http://moodle.org/mod/forum/discuss.php?d=194013 MSA-12-0006: Additional email address validation Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572 Reference: http://moodle.org/mod/forum/discuss.php?d=194014 MSA-12-0007: Email injection prevention Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9 Reference: http://moodle.org/mod/forum/discuss.php?d=194015 MSA-12-0008: Unsynchronised access via tokens Affects: 2.2, 2.1.x, 2.0.x Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126 Reference: http://moodle.org/mod/forum/discuss.php?d=194016 MSA-12-0009: Role access issue Affects: 2.2, 2.1.x Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469 Reference: http://moodle.org/mod/forum/discuss.php?d=194017 MSA-12-0010: Unauthorised access to session key Affects: 2.1.x, 2.0.x Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334 Reference: http://moodle.org/mod/forum/discuss.php?d=194018 MSA-12-0011: Browser autofill password issue Affects: 2.2, 2.1.x, 2.0.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=6e9989dbd3f261b2e1586ff77b0bf22fc7091485 Reference: http://moodle.org/mod/forum/discuss.php?d=194019 MSA-12-0012: Form validation issue Affects: 2.2, 2.1.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48 Reference: http://moodle.org/mod/forum/discuss.php?d=194020
Created moodle tracking bugs for this issue Affects: epel-all [bug 783533] Affects: fedora-all [bug 783534]
The following CVEs were assigned: CVE-2012-0792 Moodle MSA-12-0002: Personal information leak CVE-2012-0793 Moodle MSA-12-0004: Added profile image security CVE-2012-0794 Moodle MSA-12-0005: Encryption enhancement CVE-2012-0795 Moodle MSA-12-0006: Additional email address validation CVE-2012-0796 Moodle MSA-12-0007: Email injection prevention CVE-2012-0797 Moodle MSA-12-0008: Unsynchronised access via tokens CVE-2012-0798 Moodle MSA-12-0009: Role access issue CVE-2012-0799 Moodle MSA-12-0010: Unauthorised access to session key CVE-2012-0800 Moodle MSA-12-0011: Browser autofill password issue CVE-2012-0801 Moodle MSA-12-0012: Form validation issue MSA-12-0001 was deemed an enhancement with no security impact. MSA-12-0003 was deemed a security enhancement to help prevent browsers from remembering a users password (not a flaw).
moodle-1.9.16-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
moodle-2.0.7-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
moodle-2.1.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.