[SECURITY] [DSA 1724-1] New moodle packages fix several vulnerabilities

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- --------------------------------------------------------------------------

Debian Security Advisory DSA 1724-1 security ( -at -) debian.org

http://www.debian.org/security/ Steffen Joeris

February 13th, 2009 http://www.debian.org/security/faq

- --------------------------------------------------------------------------

 

Package : moodle

Vulnerability : several vulnerabilities

Problem type : remote

Debian-specific: no

CVE IDs : CVE-2009-0500 CVE-2009-0502 CVE-2008-5153

Debian Bug : 514284

 

Several vulnerabilities have been discovered in Moodle, an online

course management system. The Common Vulnerabilities and Exposures

project identifies the following problems:

 

CVE-2009-0500

 

It was discovered that the information stored in the log tables

was not properly sanitized, which could allow attackers to inject

arbitrary web code.

 

CVE-2009-0502

 

It was discovered that certain input via the "Login as" function

was not properly sanitised leading to the injection of arbitrary

web script.

 

CVE-2008-5153

 

Dmitry E. Oboukhov discovered that the SpellCheker plugin creates

temporary files insecurely, allowing a denial of service attack.

Since the plugin was unused, it is removed in this update.

 

For the stable distribution (etch) these problems have been fixed in

version 1.6.3-2+etch2.

 

For the testing (lenny) distribution these problems have been fixed in

version 1.8.2.dfsg-3+lenny1.

 

For the unstable (sid) distribution these problems have been fixed in

version 1.8.2.dfsg-4.

 

We recommend that you upgrade your moodle package.

 

 

Upgrade Instructions

- --------------------

 

wget url

will fetch the file for you

dpkg -i file.deb

will install the referenced file.

 

If you are using the apt-get package manager, use the line for

sources.list as given at the end of this advisory:

 

apt-get update

will update the internal database

apt-get upgrade

will install corrected packages

 

You may use an automated update by adding the resources from the

footer to the proper configuration.

 

 

Debian GNU/Linux 4.0 alias etch

- -------------------------------

 

Source archives:

 

http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.dsc

Size/MD5 checksum: 793 b86fd980d09fc1f54744962d765a17d7

http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz

Size/MD5 checksum: 25398 60b9bf677040fbd71e7951deaa8b91d7

http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3.orig.tar.gz

Size/MD5 checksum: 7465709 2f9f3fcf83ab0f18c409f3a48e07eae2

 

Architecture independent components:

 

http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2_all.deb

Size/MD5 checksum: 6582298 7a90893e954672f33e129aa4d7ca5aa3

 

 

These files will probably be moved into the stable distribution on

its next update.

 

- ---------------------------------------------------------------------------------

For apt-get: deb http://security.debian.org/ stable/updates main

For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main