Importante Aos Usuários Do Moodle

[Alexandre Duran]

Hello registered Moodle Admins!

(This email is going out to over 86,000 registered Moodle admins. You

are receiving this email because you asked for Moodle security news

when you registered a Moodle site. If you don't want these emails

then see the very end of this email for info about unsubscribing.

Replies to this email will not be read.)

I'm writing today to let you know that Moodle 2.3.3, 2.2.6 and 2.1.9

are available via the usual open download channels

(http://download.moodle.org, CVS or Git).

Note that we will no longer be providing updates via a CVS mirror

from Jan 1, 2013. (https://moodle.org/mod/forum/discuss.php?d=215489)

Note that the 2.1 and 1.9 branches are now supported for security

fixes only. Also note that no release has been made in the 1.9 branch

but there have been serious security issues fixed in this branch.

The full release notes are here:

* http://docs.moodle.org/dev/Moodle_2.3.3_release_notes

* http://docs.moodle.org/dev/Moodle_2.2.6_release_notes

* http://docs.moodle.org/dev/Moodle_2.1.9_release_notes

SECURITY ISSUES

As well as a long list of bug fixes, performance improvements and

polishing, there are 7 security issues you should be aware of.

Details of these security issues are listed below.

As a registered Moodle admin we are giving you advance notice of these

issues so you have some time to fix them before we publish them more

widely on http://moodle.org/security in one week.

To avoid leaving your site vulnerable we highly recommend you upgrade

your sites to the latest Moodle version as soon as you can.

If you cannot upgrade then please check the following list carefully

and patch your own system or switch off those features.

Thanks, as always, to EVERYONE involved in reporting and fixing security

issues. It really is a team effort and one with more and more people

involved all the time.

Cheers and thanks for using Moodle!

Michael de Raadt

Development Manager, Moodle HQ

=======================================================================

MSA-12-0057: Access issue through repository

Topic: User B is able to see and use Dropbox of User A

within Dropbox Repository File Picker

Severity/Risk: Serious

Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+

Reported by: Alexander Bias

Issue no.: MDL-29872, MDL-36366

CVE Identifier: CVE-2012-5471

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872

Description:

Users who logged out of Dropbox through the Moodle repository were

disconnected in Moodle, but the user's access to Dropbox was still

allowed while their browser session continued.

=======================================================================

MSA-12-0058: Possible form data manipulation issue

Topic: add setConstant() for hardfreeze element

Severity/Risk: Minor

Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+

Reported by: Rossiani Wijaya

Issue no.: MDL-32785

CVE Identifier: CVE-2012-5472

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785

Description:

Frozen form elements were open to manipulation when form data was

submitted.

=======================================================================

MSA-12-0059: Information leak in Database activity module

Topic: Members of seperate groups can see Database activity

entries for other groups

Severity/Risk: Minor

Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+

Reported by: Richard Meyer

Issue no.: MDL-34448

CVE Identifier: CVE-2012-5473

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448

Description:

Within the Database activity module, when separate groups were used,

members of one group were able to see entries created by members of

another group by completing an advanced search.

=======================================================================

MSA-12-0060: Cross-site scripting vulnerability in YUI2

Topic: yui2 swf vulnerability

Severity/Risk: Serious

Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+

1.9 to 1.9.18+

Reported by: Petr Škoda, Jenny Donnelly

Issue no.: MDL-36346

CVE Identifier: CVE-2012-5475

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346

Description:

A XSS vulnerability has been discovered in some YUI 2 .swf files from

versions 2.4.0 through 2.9.0. This defect allows Javascript injection

exploits to be created against domains that host affected YUI .swf

files.

=======================================================================

MSA-12-0061: Remote code execution through Portfolio API

Topic: Portfolio plugin: Local File Inclusion (LFI) and the

possibility of Remote Command Execution (RCE).

Severity/Risk: Serious

Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+

Reported by: Cristobal Leiva

Issue no.: MDL-33791

CVE Identifier: CVE-2012-5479

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346

Description:

It was possible, when Moodle data is stored within the Web accessible

directory, to manipulate the Portfolio API callbacks to execute a file

uploaded by a user.

=======================================================================

MSA-12-0062: Information leak in Database activity module

Topic: Any user (including a guest) can view entries in

database activity when more entries are required

before viewing other participants entries

Severity/Risk: Minor

Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+

Reported by: Tabitha Roder

Issue no.: MDL-35558

CVE Identifier: CVE-2012-5480

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558

Description:

The setting requiring that a number of entries be posted to a Database

activity before others' entries could be viewed could be circumvented

using an advanced search.

=======================================================================

MSA-12-0063: Information leak in Check Permissions page

Topic: Check Permissions page displays entire user base

without moodle/role:manage capability

Severity/Risk: Minor

Versions affected: 2.3 to 2.3.2+

Reported by: Jody Steele

Issue no.: MDL-35381

CVE Identifier: CVE-2012-5481

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381

Description:

The Check Permissions page was allowing non-admin users to see the

capabilities of all users, not just users in a course/category.

--

You are receiving this email because you registered a Moodle site with Moodle.org

and chose to be added to this low-volume list of security notifications and other

important Moodle-related announcements for Moodle administrators.

To unsubscribe you can re-register your site (as above) and make sure you

turn the email option OFF in the registration form. You can also send

a blank email to sympa@lists.moodle.org with "unsubscribe securityalerts"

as the subject (from the email address that is subscribed).

See http://lists.moodle.org/info/securityalerts for more.