[Bug 650155] New: Moodle: Security Update to 1.9.10
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c0 Summary: Moodle: Security Update to 1.9.10 Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: All OS/Version: openSUSE 11.1 Status: NEW Severity: Critical Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: lrupp@novell.com QAContact: qa@suse.de Found By: Other Blocker: --- Received the following Mail from: Martin Dougiamas <martin@moodle.com> via securityalerts <securityalerts@lists.moodle.org> Hello registered Moodle Admins! (This email is going out to over 72,000 registered Moodle admins. You are receiving this email because you asked for Moodle security news when you registered a Moodle site. If you don't want these emails then see the very end of this email for info about unsubscribing) I'm writing today to let you know that Moodle 1.9.10 is available via the usual open download channels (http://download.moodle.org,CVSor Git). The release notes are here: * http://docs.moodle.org/en/Moodle_1.9.10_release_notes These are the security issues that 1.9.10 will fix for you: * MSA-10-0017 XSS vulnerability in YUI 2.4.0 through YUI 2.8.1 * MSA-10-0016 Multiple phpCAS library vulnerabilities * MSA-10-0015 Customised HTML Purifier upgraded to 4.2.0 And also note this issue with the optional MySQL module: * MSA-10-0014 Customised phpMyAdmin upgraded to 2.11.11 You can find full details of all these here: * http://moodle.org/security All the details have already been published (it was not possible to give Moodle admins advance warning this time due to constraints from external development teams we coordinated with), so please update your sites as soon as possible to remove any risk of them being attacked using these known vulnerabilities. Thanks as always to everyone involved in reporting and fixing security issues for all their hard work. Cheers and thanks for using Moodle! (Moodle 2.0 is very close now!) Martin Dougiamas (Moodle founder and lead developer) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c1 Lars Vogdt <lrupp@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |NEEDINFO CC| |lrupp@novell.com InfoProvider| |security-team@suse.de AssignedTo|bnc-team-screening@forge.pr |lrupp@novell.com |ovo.novell.com | Target Milestone|--- |Final --- Comment #1 from Lars Vogdt <lrupp@novell.com> 2010-10-29 10:13:35 UTC --- As in former days, I like to request a security update to this version for the package moodle on openSUSE 11.1.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c2 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |security-team@suse.de InfoProvider|security-team@suse.de | Summary|Moodle: Security Update to |VUL-0: moodle: Security |1.9.10 |Update to 1.9.10 Severity|Critical |Normal --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2010-10-29 13:25:27 CEST --- thanks. I've requested CVE numbers. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c3 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:36821:moderat | |e --- Comment #3 from Swamp Workflow Management <swamp@suse.com> 2010-10-29 11:26:57 UTC --- The SWAMPID for this issue is 36821. This issue was rated as moderate. Please submit fixed packages until 2010-11-12. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c4 --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2010-11-04 08:21:16 CET --- CVE-2010-3866 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c5 --- Comment #5 from Sebastian Krahmer <krahmer@novell.com> 2010-11-08 08:03:17 UTC --- From: "Steven M. Christey" <coley@linus.mitre.org> While many of the sources for YUI imply that there's only one XSS, one of our CVE analysts observed that the "Affected Files and Patches" section at the end of http://yuilibrary.com/support/2.8.2/ makes it clear that three separate .SWF files are affected, and they are all patched in slightly different versions. So, I'm going to REJECT CVE-2010-3866 and SPLIT it into the following 3 CVEs: CVE-2010-4207 charts/assets/charts.swf YUI 2.4.0 through 2.8.1 CVE-2010-4208 uploader/assets/uploader.swf YUI 2.5.0 through 2.8.1 CVE-2010-4209 swfstore/swfstore.swf YUI 2.8.0 through 2.8.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c6 Lars Vogdt <lrupp@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|lrupp@novell.com |security-team@suse.de --- Comment #6 from Lars Vogdt <lrupp@novell.com> 2010-11-10 19:48:18 UTC --- Packages tested and submitted to 11.1 - reassigning. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c7 --- Comment #7 from Thomas Biege <thomas@novell.com> 2010-11-11 15:00:41 UTC --- CVE-2010-4207: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2010-4207: Cross-Site Scripting (XSS) (CWE-79) CVE-2010-4208: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2010-4208: Cross-Site Scripting (XSS) (CWE-79) CVE-2010-4209: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2010-4209: Cross-Site Scripting (XSS) (CWE-79) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c8 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:36821:moderat |maint:running:36821:moderat |e |e maint:released:11.1:37096 --- Comment #8 from Swamp Workflow Management <swamp@suse.com> 2010-11-12 08:17:29 UTC --- Update released for: moodle, moodle-af, moodle-ar, moodle-be, moodle-bg, moodle-bs, moodle-ca, moodle-cs, moodle-da, moodle-de, moodle-de_du, moodle-debuginfo, moodle-el, moodle-es, moodle-et, moodle-eu, moodle-fa, moodle-fi, moodle-fr, moodle-ga, moodle-gl, moodle-he, moodle-hi, moodle-hr, moodle-hu, moodle-id, moodle-is, moodle-it, moodle-ja, moodle-ka, moodle-km, moodle-kn, moodle-ko, moodle-lt, moodle-lv, moodle-mi_tn, moodle-ms, moodle-nl, moodle-nn, moodle-no, moodle-pl, moodle-pt, moodle-ro, moodle-ru, moodle-sk, moodle-sl, moodle-so, moodle-sq, moodle-sr, moodle-sv, moodle-th, moodle-tl, moodle-tr, moodle-uk, moodle-vi, moodle-zh_cn Products: openSUSE 11.1 (debug, i586) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c9 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #9 from Thomas Biege <thomas@novell.com> 2010-11-12 09:03:17 UTC --- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650155 https://bugzilla.novell.com/show_bug.cgi?id=650155#c Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:36821:moderat |maint:released:11.1:37096 |e maint:released:11.1:37096 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com