Moodle upstream has released 2.3.3, 2.2.6 and 2.1.9 version: [1] http://docs.moodle.org/dev/Moodle_2.3.3_release_notes [2] http://docs.moodle.org/dev/Moodle_2.2.6_release_notes [3] http://docs.moodle.org/dev/Moodle_2.1.9_release_notes correcting multiple security issues: [4] http://www.openwall.com/lists/oss-security/2012/11/19/1 More from [4]: ======================================================================= MSA-12-0057: Access issue through repository Topic: User B is able to see and use Dropbox of User A within Dropbox Repository File Picker Severity/Risk: Serious Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ Reported by: Alexander Bias Issue no.: MDL-29872, MDL-36366 CVE Identifier: CVE-2012-5471 Workaround: Turn off Dropbox repository Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872 Description: Users who logged out of Dropbox through the Moodle repository were disconnected in Moodle, but the user's access to Dropbox was still allowed while their browser session continued. ======================================================================= MSA-12-0058: Possible form data manipulation issue Topic: add setConstant() for hardfreeze element Severity/Risk: Minor Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+ Reported by: Rossiani Wijaya Issue no.: MDL-32785 CVE Identifier: CVE-2012-5472 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785 Description: Frozen form elements were open to manipulation when form data was submitted. ======================================================================= MSA-12-0059: Information leak in Database activity module Topic: Members of seperate groups can see Database activity entries for other groups Severity/Risk: Minor Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ Reported by: Richard Meyer Issue no.: MDL-34448 CVE Identifier: CVE-2012-5473 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448 Description: Within the Database activity module, when separate groups were used, members of one group were able to see entries created by members of another group by completing an advanced search. ======================================================================= MSA-12-0060: Cross-site scripting vulnerability in YUI2 Topic: yui2 swf vulnerability Severity/Risk: Serious Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ 1.9 to 1.9.18+ Reported by: Petr �koda, Jenny Donnelly Issue no.: MDL-36346 CVE Identifier: CVE-2012-5475 Workaround: Delete YUI SWF files Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346 Description: A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files. ======================================================================= MSA-12-0061: Remote code execution through Portfolio API Topic: Portfolio plugin: Local File Inclusion (LFI) and the possibility of Remote Command Execution (RCE). Severity/Risk: Serious Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ Reported by: Cristobal Leiva Issue no.: MDL-33791 CVE Identifier: CVE-2012-5479 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346 Description: It was possible, when Moodle data is stored within the Web accessible directory, to manipulate the Portfolio API callbacks to execute a file uploaded by a user. ======================================================================= MSA-12-0062: Information leak in Database activity module Topic: Any user (including a guest) can view entries in database activity when more entries are required before viewing other participants entries Severity/Risk: Minor Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ Reported by: Tabitha Roder Issue no.: MDL-35558 CVE Identifier: CVE-2012-5480 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558 Description: The setting requiring that a number of entries be posted to a Database activity before others' entries could be viewed could be circumvented using an advanced search. ======================================================================= MSA-12-0063: Information leak in Check Permissions page Topic: Check Permissions page displays entire user base without moodle/role:manage capability Severity/Risk: Minor Versions affected: 2.3 to 2.3.2+ Reported by: Jody Steele Issue no.: MDL-35381 CVE Identifier: CVE-2012-5481 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381 Description: The Check Permissions page was allowing non-admin users to see the capabilities of all users, not just users in a course/category.
The table of affected moodle package versions (based on review of provided upstream patches if they would be applicable) as shipped with Fedora release of 16, 17, Fedora EPEL 6, and Fedora EPEL 5 is as follows: [Legend: A = Affected, NA = Not Affected] | F-17 | F-16/EPEL-6 | EPEL-5 | -------------------------------------------------- | CVE-2012-5471 | A | A | NA | | CVE-2012-5472 | A | A | A | | CVE-2012-5473 | A | A | A | | CVE-2012-5475 | A[*]| A[*] | A[*] | | CVE-2012-5479 | A | A | A | | CVE-2012-5480 | A | A | A | | CVE-2012-5481 | A | A | NA | -------------------------------------------------- [*] Based on: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5475 the CVE-2012-5475 identifier has been rejected (in favour of CVE-2012-5881, CVE-2012-5882, CVE-2012-5883) => that being the reason CVE-2012-5475 not used in alias field of this bug.
Created moodle tracking bugs for this issue Affects: fedora-all [bug 878132] Affects: epel-all [bug 878133]