Bug 841953 - (CVE-2012-3387, CVE-2012-3388, CVE-2012-3389, CVE-2012-3390, CVE-2012-3391, CVE-2012-3392, CVE-2012-3393, CVE-2012-3394, CVE-2012-3395, CVE-2012-3396, CVE-2012-3397, CVE-2012-3398) CVE-2012-3387 CVE-2012-3388 CVE-2012-3389 CVE-2012-3390 CVE-2012-3391 CVE-2012-3392 CVE-2012-3393 CVE-2012-3394 CVE-2012-3395 CVE-2012-3396 CVE-2012-3397 CVE-2012-3398 moodle: upstream 2.3.1, 2.2.4, 2.1.7, 2.0.10, 1.9.19 security fixes
CVE-2012-3387 CVE-2012-3388 CVE-2012-3389 CVE-2012-3390 CVE-2012-3391 CVE-201...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120709,repor...
: Security
Depends On: 824482 841954
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-20 12:19 EDT by Vincent Danen
Modified: 2015-07-31 05:03 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-17 23:12:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-07-20 12:19:07 EDT
Moodle upstream has released versions 2.3.1, 2.2.4, 2.1.7, 2.0.10, and 1.9.19 to fix the following security flaws:

CVE-2012-3387 Moodle: MSA-12-0039: File upload validation issue
CVE-2012-3388 Moodle: MSA-12-0040: Capabilities issue through caching
CVE-2012-3389 Moodle: MSA-12-0041: XSS issue in LTI module
CVE-2012-3390 Moodle: MSA-12-0042: File access issue in blocks
CVE-2012-3391 Moodle: MSA-12-0043: Early information access issue in forum
CVE-2012-3392 Moodle: MSA-12-0044: Capability check issue in forum subscriptions
CVE-2012-3393 Moodle: MSA-12-0045: Injection potential in admin for repositories
CVE-2012-3394 Moodle: MSA-12-0046: Insecure protocol redirection in LDAP authentication
CVE-2012-3395 Moodle: MSA-12-0047: SQL injection potential in Feedback module
CVE-2012-3396 Moodle: MSA-12-0048: Possible XSS in cohort administration
CVE-2012-3397 Moodle: MSA-12-0049: Group restricted activity displayed to all users
CVE-2012-3398 Moodle: MSA-12-0050: Potential DOS attack through database activity

The above is summarized, including affected releases for each flaw, and links to the fixes in git:

http://www.openwall.com/lists/oss-security/2012/07/17/1

Upstream release announcements:

http://docs.moodle.org/dev/Moodle_1.9.19_release_notes
http://docs.moodle.org/dev/Moodle_2.0.10_release_notes
http://docs.moodle.org/dev/Moodle_2.1.7_release_notes
http://docs.moodle.org/dev/Moodle_2.2.4_release_notes
http://docs.moodle.org/dev/Moodle_2.3.1_release_notes
Comment 1 Vincent Danen 2012-07-20 12:21:54 EDT
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 841954]
Affects: epel-all [bug 824482]

Note You need to log in before you can comment on or make changes to this bug.