Bug 964321 - (CVE-2013-2079, CVE-2013-2080, CVE-2013-2081, CVE-2013-2082, CVE-2013-2083) CVE-2013-2079 CVE-2013-2080 CVE-2013-2081 CVE-2013-2082 CVE-2013-2083 moodle: upstream 2.4.4, 2.3.7, and 2.2.10 fixes
CVE-2013-2079 CVE-2013-2080 CVE-2013-2081 CVE-2013-2082 CVE-2013-2083 moodle:...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130515,repor...
: Security
Depends On: 964322 964324
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-17 17:07 EDT by Vincent Danen
Modified: 2015-08-22 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 11:37:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-05-17 17:07:00 EDT
Moodle upstream has released upstream 2.4.4, 2.3.7, and 2.2.10 versions:

http://docs.moodle.org/dev/Moodle_2.2.10_release_notes
http://docs.moodle.org/dev/Moodle_2.3.7_release_notes
http://docs.moodle.org/dev/Moodle_2.4.4_release_notes

These releases contain unspecified security fixes, the nature of which will be public next week; as per the upstream announcements:

"A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version."
Comment 1 Vincent Danen 2013-05-17 17:08:19 EDT
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 964322]
Affects: epel-all [bug 964324]
Comment 2 Jan Lieskovsky 2013-05-22 06:19:11 EDT
Further issue details (http://www.openwall.com/lists/oss-security/2013/05/21/1) are as follows:

=======================================================================
MSA-13-0020: Capability issue in Assignment

Description:       The assignment module was not checking capabilities
                    for users downloading all assignments as a zip.
Issue summary:     Students can download assignments submitted by other
                    students
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed:    2.5, 2.4.4 and 2.3.7
Reported by:       Phillip Franks
Issue no.:         MDL-38443
CVE Identifier:    CVE-2013-2079
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443

=======================================================================
MSA-13-0021: Potential information leak in Gradebook

Description:       The Gradebook's Overview report was showing grade
                    totals that may have incorrectly included hidden
                    grades.
Issue summary:     The method for figuring out
                    showtotalsifcontainhidden on the overview report is
                    flawed
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4 and 2.3.7
Reported by:       Andrew Davis
Issue no.:         MDL-37475
CVE Identifier:    CVE-2013-2080
Workaround:        Ensure all courses have the same value for hiding
                    grades in the gradebook. This is set at
                    Administration > Grades > Course grade settings >
                    Hide totals if they contain hidden items
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475

=======================================================================
MSA-13-0022: Information leak in hub registration

Description:       When registering a site on a hub (not Moodle.net)
                    site information was being sent to the hub
                    regardless of settings chosen.
Issue summary:     Moodle send site information to a hub even though
                    it's unchecked
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       J�r�me Mouneyrac
Issue no.:         MDL-37822
CVE Identifier:    CVE-2013-2081
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822

=======================================================================
MSA-13-0023: Permission issue in blog comments

Description:       There was no check of permissions for viewing
                    comments on blog posts.
Issue summary:     Blog comment validation should verify that the user
                    can view a post.
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Dan Poltawski
Issue no.:         MDL-37245
CVE Identifier:    CVE-2013-2082
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245

=======================================================================
MSA-13-0024: Form filtering issue

Description:       Form elements named using a specific naming
                    scheme were not being filtered correctly
Issue summary:     Elements named foo[i] are not cleaned properly
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Dan Poltawski
Issue no.:         MDL-38885
CVE Identifier:    CVE-2013-2083
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885

Note You need to log in before you can comment on or make changes to this bug.