DSA 2421-1: moodle security update
Posted on: 03/01/2012 10:50 AM

Updated moodle packages are available for Debian GNU/Linux

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2421-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 29, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : moodle
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-4308 CVE-2011-4584 CVE-2011-4585 CVE-2011-4586
CVE-2011-4587 CVE-2011-4588 CVE-2012-0792 CVE-2012-0793
CVE-2012-0794 CVE-2012-0795 CVE-2012-0796

Several security issues have been fixed in Moodle, a course management
system for online learning:

CVE-2011-4308 / CVE-2012-0792

Rossiani Wijaya discovered an information leak in


MNET authentication didn't prevent a user using "Login As" from
jumping to a remove MNET SSO.


Darragh Enright discovered that the change password form was send in
over plain HTTP even if httpslogin was set to "true".


David Michael Evans and German Sanchez Gances discovered CRLF
injection/HTTP response splitting vulnerabilities in the Calendar


Stephen Mc Guiness discovered empty passwords could be entered in
some circumstances.


Patrick McNeill that IP address restrictions could be bypassed in


Simon Coggins discovered that additional information could be
injected into mail headers.


John Ehringer discovered that email adresses were insufficiently


Rajesh Taneja discovered that cookie encryption used a fixed key.


Eloy Lafuente discovered that profile images were insufficiently
protected. A new configuration option "forceloginforprofileimages"
was introduced for that.

For the stable distribution (squeeze), this problem has been fixed in
version 1.9.9.dfsg2-2.1+squeeze3.

For the unstable distribution (sid), this problem has been fixed in
version 1.9.9.dfsg2-5.

We recommend that you upgrade your moodle packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_2421_1_moodle_security_update.html)