Bug 985651 - (CVE-2013-2242, CVE-2013-2243, CVE-2013-2244, CVE-2013-2245, CVE-2013-2246, CVE-2013-4938, CVE-2013-4939, CVE-2013-4940, CVE-2013-4941, CVE-2013-4942) CVE-2013-2242 CVE-2013-2243 CVE-2013-2244 CVE-2013-2245 CVE-2013-2246 CVE-2013-4938 CVE-2013-4939 CVE-2013-4940 CVE-2013-4941 CVE-2013-4942 moodle: upstream 2.5.1, 2.4.5, 2.3.8, 2.2.11 security fixes
CVE-2013-2242 CVE-2013-2243 CVE-2013-2244 CVE-2013-2245 CVE-2013-2246 CVE-201...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130708,repor...
: Security
Depends On: 985652 985654
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-17 23:11 EDT by Vincent Danen
Modified: 2013-07-29 12:32 EDT (History)
1 user (show)

See Also:
Fixed In Version: moodle 2.5.1, moodle 2.4.5, moodle 2.3.8, moodle 2.2.11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-29 12:32:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-07-17 23:11:19 EDT
Moodle upstream has released versions 2.5.1, 2.4.5, 2.3.8, and 2.2.11 to fix the following security flaws:

MSA-13-0025: XSS vulnerability in YUI library
MSA-13-0026: Personal information leak in IMS-LTI
CVE-2013-2242 MSA-13-0027: Access issue in Chat module
CVE-2013-2243 MSA-13-0028: Answer information revealed in Lesson activity
CVE-2013-2244 MSA-13-0029: XSS risk in conditional activities
CVE-2013-2245 MSA-13-0030: Information leak through RSS
CVE-2013-2246 MSA-13-0031: Personal information leak in Feedback activity

Upstream release announcements (which include links to the advisories which also link to patches):

http://docs.moodle.org/dev/Moodle_2.5.1_release_notes
http://docs.moodle.org/dev/Moodle_2.4.5_release_notes
http://docs.moodle.org/dev/Moodle_2.3.8_release_notes
http://docs.moodle.org/dev/Moodle_2.2.11_release_notes

Also note that 2.2.11 is the last release of 2.2.x so EPEL5 may need to move to 2.3.x or later, or else will have to backport future fixes.
Comment 1 Vincent Danen 2013-07-17 23:13:08 EDT
Created moodle tracking bugs for this issue:

Affects: fedora-all [bug 985652]
Affects: epel-all [bug 985654]
Comment 2 Vincent Danen 2013-07-29 12:32:55 EDT
For Fedora, the following releases were made to correct these flaws:

moodle-2.2.11-1.fc17
moodle-2.3.8-2.fc18
moodle-2.4.5-2.fc19

For EPEL6, the following release was made to correct these flaws:

moodle-2.3.8-1.el6

EPEL5 is still currently using the 1.9.x version that may be affected by these issues.

In addition, the following CVEs were assigned to issues resolved in these versions of Moodle (related to MSA-13-0025 and MSA-13-0026):


CVE-2013-4938:
The LTI (aka IMS-LTI) mod_form implementation in Moodle through
2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5,
and 2.5.x before 2.5.1 does not properly support the sendname,
sendemailaddr, and acceptgrades settings, which allows remote
attackers to obtain sensitive information in opportunistic
circumstances by leveraging an environment in which there was an
ineffective attempt to enable the more secure values.

CVE-2013-4939:
Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility
component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through
2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5,
2.5.x before 2.5.1, and other products, allows remote attackers to
inject arbitrary web script or HTML via a crafted string in a URL.

CVE-2013-4940:
Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility
component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10,
2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x
before 2.5.1, and other products, allows remote attackers to inject
arbitrary web script or HTML via a crafted string in a URL. NOTE: this
vulnerability exists because of a 3.9.1 regression.

CVE-2013-4941:
Cross-site scripting (XSS) vulnerability in uploader.swf in the
Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in
Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x
before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote
attackers to inject arbitrary web script or HTML via a crafted string
in a URL.

CVE-2013-4942:
Cross-site scripting (XSS) vulnerability in flashuploader.swf in the
Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in
Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x
before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote
attackers to inject arbitrary web script or HTML via a crafted string
in a URL.

Note You need to log in before you can comment on or make changes to this bug.