Security Information / 2012 / Security Information -- DSA-2421-1 moodle

Debian Security Advisory

DSA-2421-1 moodle -- several vulnerabilities

Date Reported:

29 Feb 2012

Affected Packages:

moodle

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2011-4308, CVE-2011-4584, CVE-2011-4585, CVE-2011-4586, CVE-2011-4587, CVE-2011-4588, CVE-2012-0792, CVE-2012-0793, CVE-2012-0794, CVE-2012-0795, CVE-2012-0796.

More information:

Several security issues have been fixed in Moodle, a course management system for online learning:

• CVE-2011-4308 / CVE-2012-0792

  Rossiani Wijaya discovered an information leak in mod/forum/user.php.

• CVE-2011-4584

  MNet authentication didn't prevent a user using Login as from jumping to a remove MNet SSO.

• CVE-2011-4585

  Darragh Enright discovered that the change password form was send in over plain HTTP even if httpslogin was set to true.

• CVE-2011-4586

  David Michael Evans and German Sanchez Gances discovered CRLF injection/HTTP response splitting vulnerabilities in the Calendar module.

• CVE-2011-4587

  Stephen Mc Guiness discovered empty passwords could be entered in some circumstances.

• CVE-2011-4588

  Patrick McNeill discovered that IP address restrictions could be bypassed in MNet.

• CVE-2012-0796

  Simon Coggins discovered that additional information could be injected into mail headers.

• CVE-2012-0795

  John Ehringer discovered that email addresses were insufficiently validated.

• CVE-2012-0794

  Rajesh Taneja discovered that cookie encryption used a fixed key.

• CVE-2012-0793

  Eloy Lafuente discovered that profile images were insufficiently protected. A new configuration option forceloginforprofileimages was introduced for that.

For the stable distribution (squeeze), this problem has been fixed in version 1.9.9.dfsg2-2.1+squeeze3.

For the unstable distribution (sid), this problem has been fixed in version 1.9.9.dfsg2-5.

We recommend that you upgrade your moodle packages.