841953 – (CVE-2012-3387, CVE-2012-3388, CVE-2012-3389, CVE-2012-3390, CVE-2012-3391, CVE-2012-3392, CVE-2012-3393, CVE-2012-3394, CVE-2012-3395, CVE-2012-3396, CVE-2012-3397, CVE-2012-3398) CVE-2012-3387 CVE-2012-3388 CVE-2012-3389 CVE-2012-3390 CVE-2012-3391 CVE-2012-3392 CVE-2012-3393 CVE-2012-3394 CVE-2012-3395 CVE-2012-3396 CVE-2012-3397 CVE-2012-3398 moodle: upstream 2.3.1, 2.2.4, 2.1.7, 2.0.10, 1.9.19 security fixes

Bug 841953 (CVE-2012-3387, CVE-2012-3388, CVE-2012-3389, CVE-2012-3390, CVE-2012-3391, CVE-2012-3392, CVE-2012-3393, CVE-2012-3394, CVE-2012-3395, CVE-2012-3396, CVE-2012-3397, CVE-2012-3398) - CVE-2012-3387 CVE-2012-3388 CVE-2012-3389 CVE-2012-3390 CVE-2012-3391 CVE-2012-3392 CVE-2012-3393 CVE-2012-3394 CVE-2012-3395 CVE-2012-3396 CVE-2012-3397 CVE-2012-3398 moodle: upstream 2.3.1, 2.2.4, 2.1.7, 2.0.10, 1.9.19 security fixes

Summary: CVE-2012-3387 CVE-2012-3388 CVE-2012-3389 CVE-2012-3390 CVE-2012-3391 CVE-201...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-3387, CVE-2012-3388, CVE-2012-3389, CVE-2012-3390, CVE-2012-3391, CVE-2012-3392, CVE-2012-3393, CVE-2012-3394, CVE-2012-3395, CVE-2012-3396, CVE-2012-3397, CVE-2012-3398
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	824482 841954
Blocks:
TreeView+	depends on / blocked

Reported:	2012-07-20 16:19 UTC by Vincent Danen
Modified:	2023-02-03 15:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:	moodle 2.3.1, moodle 2.2.4, moodle 2.1.7, moodle 2.0.10, moodle 1.9.19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-18 03:12:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2012-07-20 16:19:07 UTC

Moodle upstream has released versions 2.3.1, 2.2.4, 2.1.7, 2.0.10, and 1.9.19 to fix the following security flaws:

CVE-2012-3387 Moodle: MSA-12-0039: File upload validation issue
CVE-2012-3388 Moodle: MSA-12-0040: Capabilities issue through caching
CVE-2012-3389 Moodle: MSA-12-0041: XSS issue in LTI module
CVE-2012-3390 Moodle: MSA-12-0042: File access issue in blocks
CVE-2012-3391 Moodle: MSA-12-0043: Early information access issue in forum
CVE-2012-3392 Moodle: MSA-12-0044: Capability check issue in forum subscriptions
CVE-2012-3393 Moodle: MSA-12-0045: Injection potential in admin for repositories
CVE-2012-3394 Moodle: MSA-12-0046: Insecure protocol redirection in LDAP authentication
CVE-2012-3395 Moodle: MSA-12-0047: SQL injection potential in Feedback module
CVE-2012-3396 Moodle: MSA-12-0048: Possible XSS in cohort administration
CVE-2012-3397 Moodle: MSA-12-0049: Group restricted activity displayed to all users
CVE-2012-3398 Moodle: MSA-12-0050: Potential DOS attack through database activity

The above is summarized, including affected releases for each flaw, and links to the fixes in git:

http://www.openwall.com/lists/oss-security/2012/07/17/1

Upstream release announcements:

http://docs.moodle.org/dev/Moodle_1.9.19_release_notes
http://docs.moodle.org/dev/Moodle_2.0.10_release_notes
http://docs.moodle.org/dev/Moodle_2.1.7_release_notes
http://docs.moodle.org/dev/Moodle_2.2.4_release_notes
http://docs.moodle.org/dev/Moodle_2.3.1_release_notes

Comment 1 Vincent Danen 2012-07-20 16:21:54 UTC

Created moodle tracking bugs for this issue

Affects: fedora-all [bug 841954]
Affects: epel-all [bug 824482]

Note You need to log in before you can comment on or make changes to this bug.