[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Mageia alert MGASA-2014-0160 (moodle)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2014-0160: Updated moodle packages fix multiple security vulnerabilities 


Date:
    	      Thu, 3 Apr 2014 19:23:59 +0200


Message-ID:
    	      <20140403172359.E53AD48765@valstar.mageia.org>


MGASA-2014-0160 - Updated moodle packages fix multiple security vulnerabilities

Publication date: 03 Apr 2014
URL: http://advisories.mageia.org/MGASA-2014-0160.html
Type: security
Affected Mageia releases: 3, 4
CVE: CVE-2013-7341,
     CVE-2014-0122,
     CVE-2014-0123,
     CVE-2014-0124,
     CVE-2014-0125,
     CVE-2014-0126,
     CVE-2014-0127,
     CVE-2014-2571

Description:
Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.9, question strings were not being filtered correctly
possibly allowing cross site scripting, as quiz_question_tostring can cause
invalid HTML (CVE-2014-2571).

Feedback Availability dates not honored in complete.php in Moodle before
2.4.9, therefore it was possible to start a Feedback activity while it was
supposed to be closed (CVE-2014-0127).

Broken access control vulnerability in Moodle before 2.4.9 with
/mod/chat/chat_ajax.php, where capabilities to chat were being checked at the
start of a chat, but not during, so changes were not effective immediately
(CVE-2014-0122).

In Moodle before 2.4.9, there were missing access checks on Wiki pages
allowing students to see pages of other students' individual wikis, through
the Recent activity block (CVE-2014-0123).

In Moodle before 2.4.9, cross site scripting was possible with Flowplayer
(CVE-2013-7341).

In Moodle before 2.4.9, Forum and Quiz were showing users' email addresses
when settings were supposed to be preventing this (CVE-2014-0124).

In Moodle before 2.4.9, alias links to items in an Alfresco repository were
provided with information that would allow someone to impersonate the file
owner in Alfresco (CVE-2014-0125).

Cross Site Request Forgery in Moodle before 2.4.9 in
enrol/imsenterprise/importnow.php, due to inadequate session checking when
triggering the import of IMS Enterprise identities (CVE-2014-0126).

References:
- https://moodle.org/mod/forum/discuss.php?d=256416
- https://moodle.org/mod/forum/discuss.php?d=256417
- https://moodle.org/mod/forum/discuss.php?d=256418
- https://moodle.org/mod/forum/discuss.php?d=256419
- https://moodle.org/mod/forum/discuss.php?d=256420
- https://moodle.org/mod/forum/discuss.php?d=256421
- https://moodle.org/mod/forum/discuss.php?d=256422
- https://moodle.org/mod/forum/discuss.php?d=256423
- http://docs.moodle.org/dev/Moodle_2.4.9_release_notes
- https://moodle.org/mod/forum/discuss.php?d=255903
- https://bugs.mageia.org/show_bug.cgi?id=13005
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7341
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0122
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0123
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0124
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0125
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0126
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0127
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2571

SRPMS:
- 4/core/moodle-2.4.9-1.mga4
- 3/core/moodle-2.4.9-1.mga3
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds