Bug#652235: Multiple new security issues

Carlos Alberto Lopez Perez Sun, 22 Jan 2012 09:03:19 -0800

Apart from the security issues commented on this bug, there were discovered 
recently 10 more recent security issues that affect moodle on stable and 
testing/sid



Adding them to this bug instead of creating a new one.



Summary:

CVE-2012-0792 Moodle MSA-12-0002: Personal information leak
CVE-2012-0793 Moodle MSA-12-0004: Added profile image security
CVE-2012-0794 Moodle MSA-12-0005: Encryption enhancement
CVE-2012-0795 Moodle MSA-12-0006: Additional email address validation
CVE-2012-0796 Moodle MSA-12-0007: Email injection prevention
CVE-2012-0797 Moodle MSA-12-0008: Unsynchronised access via tokens
CVE-2012-0798 Moodle MSA-12-0009: Role access issue
CVE-2012-0799 Moodle MSA-12-0010: Unauthorised access to session key
CVE-2012-0800 Moodle MSA-12-0011: Browser autofill password issue
CVE-2012-0801 Moodle MSA-12-0012: Form validation issue

-------- Original Message --------
Date: Fri, 20 Jan 2012 11:33:31 -0700
From: Vincent Danen <vda...@redhat.com>
To: oss-secur...@lists.openwall.com

Subject: [oss-security] CVE request: moodle 2.2.1, 2.1.4, 2.0.7, 1.9.16 
vulnerabilities

New moodle releases were made to fix a number of flaws (summarized
below).  Could CVEs be assigned to these?

[1] http://docs.moodle.org/dev/Moodle_2.2.1_release_notes
[2] http://docs.moodle.org/dev/Moodle_2.1.4_release_notes
[3] http://docs.moodle.org/dev/Moodle_2.0.7_release_notes
[4] http://docs.moodle.org/dev/Moodle_1.9.16_release_notes


MSA-12-0001: Recaptcha transmission consistency issue
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: 
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=b608b227bac4efba76da43dabe9bc2e32fb8fa32
Reference: http://moodle.org/mod/forum/discuss.php?d=194008


MSA-12-0002: Personal information leak
Affects: 1.9.x
Fix: 
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=36b0ddeed45d0751508dcd9fa50f17fda43bae54
Reference: http://moodle.org/mod/forum/discuss.php?d=194009


MSA-12-0003: Added password protection
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: 
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=aa30d3e8ce0dd41d3d0f7dae856beb180fed1f83
Reference: http://moodle.org/mod/forum/discuss.php?d=194011


MSA-12-0004: Added profile image security
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: 
http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5
Reference: http://moodle.org/mod/forum/discuss.php?d=194012


MSA-12-0005: Encryption enhancement
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: 
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=98456628a24bba25d336860d38a45b5a4e3895da
Reference:  http://moodle.org/mod/forum/discuss.php?d=194013


MSA-12-0006: Additional email address validation
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572
Reference: http://moodle.org/mod/forum/discuss.php?d=194014


MSA-12-0007: Email injection prevention
Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
Fix: 
http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9
Reference: http://moodle.org/mod/forum/discuss.php?d=194015


MSA-12-0008: Unsynchronised access via tokens
Affects: 2.2, 2.1.x, 2.0.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126
Reference: http://moodle.org/mod/forum/discuss.php?d=194016


MSA-12-0009: Role access issue
Affects: 2.2, 2.1.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469
Reference: http://moodle.org/mod/forum/discuss.php?d=194017


MSA-12-0010: Unauthorised access to session key
Affects: 2.1.x, 2.0.x
Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334
Reference: http://moodle.org/mod/forum/discuss.php?d=194018


MSA-12-0011: Browser autofill password issue
Affects: 2.2, 2.1.x, 2.0.x
Fix: 
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=6e9989dbd3f261b2e1586ff77b0bf22fc7091485
Reference: http://moodle.org/mod/forum/discuss.php?d=194019


MSA-12-0012: Form validation issue
Affects: 2.2, 2.1.x
Fix: 
http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48
Reference: http://moodle.org/mod/forum/discuss.php?d=194020

-- 
Vincent Danen / Red Hat Security Response Team 




-------- Original Message --------
Date: Sat, 21 Jan 2012 17:15:29 -0700
From: Kurt Seifried <kseifr...@redhat.com>
To: oss-secur...@lists.openwall.com
Subject: Re: [oss-security] CVE request: moodle 2.2.1, 2.1.4, 2.0.7, 1.9.16 
vulnerabilities

On 01/20/2012 11:33 AM, Vincent Danen wrote:
> New moodle releases were made to fix a number of flaws (summarized
> below).  Could CVEs be assigned to these?
>
> [1] http://docs.moodle.org/dev/Moodle_2.2.1_release_notes
> [2] http://docs.moodle.org/dev/Moodle_2.1.4_release_notes
> [3] http://docs.moodle.org/dev/Moodle_2.0.7_release_notes
> [4] http://docs.moodle.org/dev/Moodle_1.9.16_release_notes
>
Summary:

CVE-2012-0792 Moodle MSA-12-0002: Personal information leak
CVE-2012-0793 Moodle MSA-12-0004: Added profile image security
CVE-2012-0794 Moodle MSA-12-0005: Encryption enhancement
CVE-2012-0795 Moodle MSA-12-0006: Additional email address validation
CVE-2012-0796 Moodle MSA-12-0007: Email injection prevention
CVE-2012-0797 Moodle MSA-12-0008: Unsynchronised access via tokens
CVE-2012-0798 Moodle MSA-12-0009: Role access issue
CVE-2012-0799 Moodle MSA-12-0010: Unauthorised access to session key
CVE-2012-0800 Moodle MSA-12-0011: Browser autofill password issue
CVE-2012-0801 Moodle MSA-12-0012: Form validation issue


>
> MSA-12-0001: Recaptcha transmission consistency issue
> Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=b608b227bac4efba76da43dabe9bc2e32fb8fa32
> Reference: http://moodle.org/mod/forum/discuss.php?d=194008
>
This is an enhancement and appears to have no security impact.
>
> MSA-12-0002: Personal information leak
> Affects: 1.9.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=36b0ddeed45d0751508dcd9fa50f17fda43bae54
> Reference: http://moodle.org/mod/forum/discuss.php?d=194009
>
>
Please use CVE-2012-0792 for this issue.

> MSA-12-0003: Added password protection
> Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=aa30d3e8ce0dd41d3d0f7dae856beb180fed1f83
> Reference: http://moodle.org/mod/forum/discuss.php?d=194011
>
Security enhancement to help prevent browsers from remembering a users
password.
>
> MSA-12-0004: Added profile image security
> Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5
> Reference: http://moodle.org/mod/forum/discuss.php?d=194012
>
Please use CVE-2012-0793 for this issue.

>
> MSA-12-0005: Encryption enhancement
> Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=98456628a24bba25d336860d38a45b5a4e3895da
> Reference:  http://moodle.org/mod/forum/discuss.php?d=194013
>
Please use CVE-2012-0794 for this issue.

> MSA-12-0006: Additional email address validation
> Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572
> Reference: http://moodle.org/mod/forum/discuss.php?d=194014
>
Please use CVE-2012-0795 for this issue.

>
> MSA-12-0007: Email injection prevention
> Affects: 2.2, 2.1.x, 2.0.x, 1.9.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9
> Reference: http://moodle.org/mod/forum/discuss.php?d=194015
>
Please use CVE-2012-0796 for this issue.

>
> MSA-12-0008: Unsynchronised access via tokens
> Affects: 2.2, 2.1.x, 2.0.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126
> Reference: http://moodle.org/mod/forum/discuss.php?d=194016
>
Please use CVE-2012-0797 for this issue.

>
> MSA-12-0009: Role access issue
> Affects: 2.2, 2.1.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469
> Reference: http://moodle.org/mod/forum/discuss.php?d=194017
>
Please use CVE-2012-0798 for this issue.

>
> MSA-12-0010: Unauthorised access to session key
> Affects: 2.1.x, 2.0.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334
> Reference: http://moodle.org/mod/forum/discuss.php?d=194018
>
Please use CVE-2012-0799 for this issue.

>
> MSA-12-0011: Browser autofill password issue
> Affects: 2.2, 2.1.x, 2.0.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=6e9989dbd3f261b2e1586ff77b0bf22fc7091485
> Reference: http://moodle.org/mod/forum/discuss.php?d=194019
>
Please use CVE-2012-0800 for this issue.

>
> MSA-12-0012: Form validation issue
> Affects: 2.2, 2.1.x
> Fix:
> http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48
> Reference: http://moodle.org/mod/forum/discuss.php?d=194020
>
Please use CVE-2012-0801 for this issue.

-- 

--

-- Kurt Seifried / Red Hat Security Response Team


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carlos Alberto Lopez Perez                           http://neutrino.es
Igalia - Free Software Engineering                http://www.igalia.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

signature.asc
Description: OpenPGP digital signature

Bug#652235: Multiple new security issues

Reply via email to