Bug 578811 (CVE-2010-1613, CVE-2010-1614, CVE-2010-1615, CVE-2010-1616, CVE-2010-1617, CVE-2010-1618, CVE-2010-1619) - CVE-2010-1613 CVE-2010-1614 CVE-2010-1615 CVE-2010-1616 CVE-2010-1617 CVE-2010-1618 CVE-2010-1619 Moodle: Multiple security fixes in 1.8.12 upstream release
Summary: CVE-2010-1613 CVE-2010-1614 CVE-2010-1615 CVE-2010-1616 CVE-2010-1617 CVE-201...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-1613, CVE-2010-1614, CVE-2010-1615, CVE-2010-1616, CVE-2010-1617, CVE-2010-1618, CVE-2010-1619
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://docs.moodle.org/en/Moodle_1.8....
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-01 12:49 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:36 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-10 15:55:51 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-04-01 12:49:38 UTC 
Moodle upstream has released latest v1.9.8 and v.1.8.12
versions:
  [1] http://docs.moodle.org/en/Moodle_1.9.8_release_notes
  [2] http://docs.moodle.org/en/Moodle_1.8.12_release_notes

addressing multiple security issues (from [2]):

    * MSA-10-0001 Vulnerability in KSES text cleaning
    * MSA-10-0002 XSS vulnerabilty in the phpcas module
    * MSA-10-0003 Disclosure of full user names
    * MSA-10-0005 Incorrect validation of forms data
    * MSA-10-0006 SQL injection in Wiki module
    * MSA-10-0007 Reflective Cross Site Scripting (XSS) in the Moodle
                  Global Search Engine
    * MSA-10-0008 Persistent XSS when using Login-as feature
    * MSA-10-0009 Session fixation prevention now turned on by default 

CVE Request:
  [3] http://www.openwall.com/lists/oss-security/2010/04/01/1
Comment 1 Jan Lieskovsky 2010-04-01 12:52:24 UTC 
Though current Fedora versions of moodle has been already
upgraded to v1.9.8 (thanks Jon), these issues still affect
the versions of the moodle package, as present within
EPEL-4 and EPEL-5 repositories.

Please fix.
Comment 2 Fedora Update System 2010-04-01 17:59:39 UTC 
moodle-1.8.12-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/moodle-1.8.12-1.el5
Comment 3 Fedora Update System 2010-04-01 17:59:44 UTC 
moodle-1.8.12-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/moodle-1.8.12-1.el4
Comment 4 Fedora Update System 2010-04-02 02:39:43 UTC 
moodle-1.8.12-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2010-04-02 02:39:53 UTC 
moodle-1.8.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2010-06-10 15:55:51 UTC 
MITRE has assigned the following CVEs for these issues (as noted in http://www.openwall.com/lists/oss-security/2010/04/29/10):

>MSA-10-0009: Session fixation prevention now turned on by default

Use CVE-2010-1613

>MSA-10-0008: Persistent XSS when using Login-as feature
>MSA-10-0007: Reflective Cross Site Scripting (XSS) in the Moodle
>Global Search Engine

These two are combined into a single CVE.

Use CVE-2010-1614

>MSA-10-0006: SQL injection in Wiki module
>MSA-10-0005: Incorrect validation of forms data

These two are combined into a single CVE.

Use CVE-2010-1615

>MSA-10-0004: Improved access control in course restore

Use CVE-2010-1616

>MSA-10-0003: Disclosure of full user names

Use CVE-2010-1617

>MSA-10-0002: XSS vulnerabilty in the phpcas module

Use CVE-2010-1618

>MSA-10-0001: Vulnerability in KSES text cleaning

Use CVE-2010-1619
Note You need to log in before you can comment on or make changes to this bug.