[SECURITY] Fedora 21 Update: moodle-2.7.5-1.fc21
updates at fedoraproject.org
updates at fedoraproject.org
Sun Feb 15 03:24:22 UTC 2015
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-1751
2015-02-06 00:19:43
--------------------------------------------------------------------------------
Name : moodle
Product : Fedora 21
Version : 2.7.5
Release : 1.fc21
URL : http://moodle.org/
Summary : A Course Management System
Description :
Moodle is a course management system (CMS) - a free, Open Source software
package designed using sound pedagogical principles, to help educators create
effective online learning communities.
--------------------------------------------------------------------------------
Update Information:
The following security notifications have now been made public:
==============================================================================
MSA-15-0001: Insufficient access check in LTI module
Description: Absence of capability check in AJAX backend script could
allow any enrolled user to search the list of registered
tools
Issue summary: mod/lti/ajax.php security problems
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47920
CVE identifier: CVE-2015-0211
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920
==============================================================================
MSA-15-0002: XSS vulnerability in course request pending approval page
Description: Course summary on course request pending approval page was
displayed to the manager unescaped and could be used for
XSS attack
Issue summary: XSS in course request pending approval page (Privilege
Escalation?)
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Skylar Kelty
Issue no.: MDL-48368
Workaround: Grant permission moodle/course:request only to trusted
users
CVE identifier: CVE-2015-0212
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368
==============================================================================
MSA-15-0003: CSRF possible in Glossary module
Description: Two files in the Glossary module lacked a session key check
potentially allowing cross-site request forgery
Issue summary: Multiple CSRF in mod glossary
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Ankit Agarwal
Issue no.: MDL-48106
CVE identifier: CVE-2015-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106
==============================================================================
MSA-15-0004: Information leak through messaging functions in web-services
Description: Through web-services it was possible to access
messaging-related functions such as people search even if
messaging is disabled on the site
Issue summary: Messages external functions doesn't check if messaging is
enabled
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Juan Leyva
Issue no.: MDL-48329
Workaround: Disable web services or disable individual message-related
functions
CVE identifier: CVE-2015-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329
==============================================================================
MSA-15-0005: Insufficient access check in calendar functions in web-services
Description: Through web-services it was possible to get information
about calendar events which user did not have enough
permissions to see
Issue summary: calendar/externallib.php lacks
self::validate_context($context);
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-48017
CVE identifier: CVE-2015-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017
==============================================================================
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask
Description: Users with capability to grade in Lesson module were not
reported as users with XSS risk but their feedback was
displayed without cleaning
Issue summary: mod/lesson:grade capability missing RISK_XSS but essay
feedback is displayed with noclean=true
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1
Versions fixed: 2.8.2
Reported by: Damyon Wiese
Issue no.: MDL-48034
CVE identifier: CVE-2015-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034
==============================================================================
MSA-15-0007: ReDoS possible in the multimedia filter
Description: Not optimal regular expression in the filter could be
exploited to create extra server load or make particular
page unavailable
Issue summary: ReDOS in the multimedia filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Nicolas Martignoni
Issue no.: MDL-48546
Workaround: Disable multimedia filter
CVE identifier: CVE-2015-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546
==============================================================================
MSA-15-0008: Forced logout through Shibboleth authentication plugin
Description: It was possible to forge a request to logout users even
when not authenticated through Shibboleth
Issue summary: Forced logout via auth/shibboleth/logout.php
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47964
Workaround: Deny access to file auth/shibboleth/logout.php in webserver
configuration
CVE identifier: CVE-2015-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964
==============================================================================
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 5 2015 Jon Ciesla <limburgher at gmail.com> - 2.7.5-1
- 2.7.5, fix for security issues.
* Fri Nov 14 2014 Jon Ciesla <limburgher at gmail.com> - 2.7.3-1
- 2.7.3, fix for security issues.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1183695 - CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1183695
[ 2 ] Bug #1183694 - CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1183694
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update moodle' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list