stable

moodle-2.7.5-1.fc21

FEDORA-2015-1751 created by limb 9 years ago for Fedora 21

The following security notifications have now been made public:

============================================================================== MSA-15-0001: Insufficient access check in LTI module

Description: Absence of capability check in AJAX backend script could allow any enrolled user to search the list of registered tools Issue summary: mod/lti/ajax.php security problems Severity/Risk: Minor Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Petr Skoda Issue no.: MDL-47920 CVE identifier: CVE-2015-0211 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920

============================================================================== MSA-15-0002: XSS vulnerability in course request pending approval page

Description: Course summary on course request pending approval page was displayed to the manager unescaped and could be used for XSS attack Issue summary: XSS in course request pending approval page (Privilege Escalation?) Severity/Risk: Serious Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Skylar Kelty Issue no.: MDL-48368 Workaround: Grant permission moodle/course:request only to trusted users CVE identifier: CVE-2015-0212 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368

============================================================================== MSA-15-0003: CSRF possible in Glossary module

Description: Two files in the Glossary module lacked a session key check potentially allowing cross-site request forgery Issue summary: Multiple CSRF in mod glossary Severity/Risk: Serious Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Ankit Agarwal Issue no.: MDL-48106 CVE identifier: CVE-2015-0213 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106

============================================================================== MSA-15-0004: Information leak through messaging functions in web-services

Description: Through web-services it was possible to access messaging-related functions such as people search even if messaging is disabled on the site Issue summary: Messages external functions doesn't check if messaging is enabled Severity/Risk: Minor Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Juan Leyva Issue no.: MDL-48329 Workaround: Disable web services or disable individual message-related functions CVE identifier: CVE-2015-0214 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329

============================================================================== MSA-15-0005: Insufficient access check in calendar functions in web-services

Description: Through web-services it was possible to get information about calendar events which user did not have enough permissions to see Issue summary: calendar/externallib.php lacks self::validate_context($context); Severity/Risk: Minor Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Petr Skoda Issue no.: MDL-48017 CVE identifier: CVE-2015-0215 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017

============================================================================== MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask

Description: Users with capability to grade in Lesson module were not reported as users with XSS risk but their feedback was displayed without cleaning Issue summary: mod/lesson:grade capability missing RISK_XSS but essay feedback is displayed with noclean=true Severity/Risk: Minor Versions affected: 2.8 to 2.8.1 Versions fixed: 2.8.2 Reported by: Damyon Wiese Issue no.: MDL-48034 CVE identifier: CVE-2015-0216 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034

============================================================================== MSA-15-0007: ReDoS possible in the multimedia filter

Description: Not optimal regular expression in the filter could be exploited to create extra server load or make particular page unavailable Issue summary: ReDOS in the multimedia filter Severity/Risk: Serious Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Nicolas Martignoni Issue no.: MDL-48546 Workaround: Disable multimedia filter CVE identifier: CVE-2015-0217 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546

============================================================================== MSA-15-0008: Forced logout through Shibboleth authentication plugin

Description: It was possible to forge a request to logout users even when not authenticated through Shibboleth Issue summary: Forced logout via auth/shibboleth/logout.php Severity/Risk: Serious Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Petr Skoda Issue no.: MDL-47964 Workaround: Deny access to file auth/shibboleth/logout.php in webserver configuration CVE identifier: CVE-2015-0218 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964

==============================================================================

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2015-1751

This update has been submitted for testing by limb.

9 years ago

Taskotron: depcheck test PASSED on i386. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/34797/steps/runtask/logs/stdio (results are informative only)

Taskotron: depcheck test PASSED on x86_64. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/34797/steps/runtask/logs/stdio (results are informative only)

This update is currently being pushed to the Fedora 21 testing updates repository.

9 years ago

This update has been pushed to testing

9 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

9 years ago

This update has been submitted for stable by limb.

9 years ago

Taskotron: upgradepath test PASSED on noarch. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/37006/steps/runtask/logs/stdio (results are informative only)

This update is currently being pushed to the Fedora 21 stable updates repository.

9 years ago

This update is currently being pushed to the Fedora 21 stable updates repository.

9 years ago

This update has been pushed to stable

9 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
9 years ago
in testing
9 years ago
in stable
9 years ago
BZ#1183694 CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [fedora-all]
0
0
BZ#1183695 CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [epel-6]
0
0

Automated Test Results