[SECURITY] [DSA 1724-1] New moodle packages fix several vulnerabilities

Type securityvulns
Reporter Securityvulns
Modified 2009-02-16T00:00:00


Debian Security Advisory DSA 1724-1 security@debian.org http://www.debian.org/security/ Steffen Joeris February 13th, 2009 http://www.debian.org/security/faq

Package : moodle Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs : CVE-2009-0500 CVE-2009-0502 CVE-2008-5153 Debian Bug : 514284

Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems:


It was discovered that the information stored in the log tables
was not properly sanitized, which could allow attackers to inject
arbitrary web code.


It was discovered that certain input via the "Login as" function
was not properly sanitised leading to the injection of arbitrary
web script.


Dmitry E. Oboukhov discovered that the SpellCheker plugin creates
temporary files insecurely, allowing a denial of service attack.
Since the plugin was unused, it is removed in this update.

For the stable distribution (etch) these problems have been fixed in version 1.6.3-2+etch2.

For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1.

For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4.

We recommend that you upgrade your moodle package.

Upgrade Instructions

wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Source archives:

  Size/MD5 checksum:      793 b86fd980d09fc1f54744962d765a17d7
  Size/MD5 checksum:    25398 60b9bf677040fbd71e7951deaa8b91d7
  Size/MD5 checksum:  7465709 2f9f3fcf83ab0f18c409f3a48e07eae2

Architecture independent components:

  Size/MD5 checksum:  6582298 7a90893e954672f33e129aa4d7ca5aa3

These files will probably be moved into the stable distribution on its next update.

For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJldoJW5ql+IAeqTIRAqgIAJ0dhSgFQxBDCq0PoSav/LyyCmtaYQCgj+Ln r8qoVwy7k6F60fJPA1DAKYE= =GzCu -----END PGP SIGNATURE-----