[Secure-testing-team] Bug#559531: moodle: Security fixes released

Vicm3 vicm3 at janus.ajusco.upn.mx
Sat Dec 5 06:41:02 UTC 2009 

Package: moodle
Version: 1.8.2.dfsg-3+lenny2
Severity: grave
Tags: security
Justification: user security hole

A serie of security issues are fixed on 1.8.11, also salted passwords are enabled for new installations.
http://docs.moodle.org/en/Moodle_1.8.11_release_notes

 Security issues

    * MSA-09-0022 - Multiple CSRF problems fixed
    * MSA-09-0023 - Fixed user account disclosure in LAMS module
    * MSA-09-0024 - Fixed insufficient access control in Glossary module
    * MSA-09-0025 - Unneeded MD5 hashes removed from user table
    * MSA-09-0026 - Fixed invalid application access control in MNET interface
    * MSA-09-0027 - Ensured login information is always sent secured when using SSL for logins
    * MSA-09-0028 - Passwords and secrets are no longer ever saved in backups, new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data
    * MSA-09-0029 - Enabling a password salt in encouraged in config.php and admins are forced to change password after the upgrade
    * MSA-09-0031 - Fixed SQL injection in SCORM module 

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (900, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages moodle depends on:
ii  apache2-mpm-prefor 2.2.9-10+lenny6       Apache HTTP Server - traditional n
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  mimetex            1.50-1+lenny1         LaTeX math expressions to anti-ali
ii  mysql-client-5.0 [ 5.0.51a-24+lenny2     MySQL database client binaries
ii  php5-cli           5.2.6.dfsg.1-1+lenny4 command-line interpreter for the p
ii  php5-curl          5.2.6.dfsg.1-1+lenny4 CURL module for php5
ii  php5-gd            5.2.6.dfsg.1-1+lenny4 GD module for php5
ii  php5-mysql         5.2.6.dfsg.1-1+lenny4 MySQL module for php5
ii  smarty             2.6.20-1.2            Template engine for PHP
ii  ucf                3.0016                Update Configuration File: preserv
ii  wwwconfig-common   0.1.2                 Debian web auto configuration
ii  yui                2.5.0-1               Yahoo User Interface Library
ii  zip                2.32-1                Archiver for .zip files

Versions of packages moodle recommends:
ii  mysql-server-5.0 [ 5.0.51a-24+lenny2     MySQL database server binaries
ii  php5-ldap          5.2.6.dfsg.1-1+lenny4 LDAP module for php5

moodle suggests no packages.

-- debconf-show failed

More information about the Secure-testing-team mailing list