Debian Security Advisory DSA 1724-1 firstname.lastname@example.org http://www.debian.org/security/ Steffen Joeris February 13th, 2009 http://www.debian.org/security/faq
Package : moodle Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs : CVE-2009-0500 CVE-2009-0502 CVE-2008-5153 Debian Bug : 514284
Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems:
It was discovered that the information stored in the log tables was not properly sanitized, which could allow attackers to inject arbitrary web code.
It was discovered that certain input via the "Login as" function was not properly sanitised leading to the injection of arbitrary web script.
Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update.
For the stable distribution (etch) these problems have been fixed in version 1.6.3-2+etch2.
For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1.
For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4.
We recommend that you upgrade your moodle package.
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:
apt-get update will update the internal database apt-get upgrade will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.dsc Size/MD5 checksum: 793 b86fd980d09fc1f54744962d765a17d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz Size/MD5 checksum: 25398 60b9bf677040fbd71e7951deaa8b91d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3.orig.tar.gz Size/MD5 checksum: 7465709 2f9f3fcf83ab0f18c409f3a48e07eae2
Architecture independent components:
http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2_all.deb Size/MD5 checksum: 6582298 7a90893e954672f33e129aa4d7ca5aa3
These files will probably be moved into the stable distribution on its next update.
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: email@example.com Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>