Moodle upstream has released versions 2.5.1, 2.4.5, 2.3.8, and 2.2.11 to fix the following security flaws: MSA-13-0025: XSS vulnerability in YUI library MSA-13-0026: Personal information leak in IMS-LTI CVE-2013-2242 MSA-13-0027: Access issue in Chat module CVE-2013-2243 MSA-13-0028: Answer information revealed in Lesson activity CVE-2013-2244 MSA-13-0029: XSS risk in conditional activities CVE-2013-2245 MSA-13-0030: Information leak through RSS CVE-2013-2246 MSA-13-0031: Personal information leak in Feedback activity Upstream release announcements (which include links to the advisories which also link to patches): http://docs.moodle.org/dev/Moodle_2.5.1_release_notes http://docs.moodle.org/dev/Moodle_2.4.5_release_notes http://docs.moodle.org/dev/Moodle_2.3.8_release_notes http://docs.moodle.org/dev/Moodle_2.2.11_release_notes Also note that 2.2.11 is the last release of 2.2.x so EPEL5 may need to move to 2.3.x or later, or else will have to backport future fixes.
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 985652] Affects: epel-all [bug 985654]
For Fedora, the following releases were made to correct these flaws: moodle-2.2.11-1.fc17 moodle-2.3.8-2.fc18 moodle-2.4.5-2.fc19 For EPEL6, the following release was made to correct these flaws: moodle-2.3.8-1.el6 EPEL5 is still currently using the 1.9.x version that may be affected by these issues. In addition, the following CVEs were assigned to issues resolved in these versions of Moodle (related to MSA-13-0025 and MSA-13-0026): CVE-2013-4938: The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly support the sendname, sendemailaddr, and acceptgrades settings, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an environment in which there was an ineffective attempt to enable the more secure values. CVE-2013-4939: Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. CVE-2013-4940: Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a 3.9.1 regression. CVE-2013-4941: Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. CVE-2013-4942: Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.