Debian Security Advisory
DSA-1724-1 moodle -- several vulnerabilities
- Date Reported:
- 13 Feb 2009
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 514284.
In Mitre's CVE dictionary: CVE-2009-0500, CVE-2009-0502, CVE-2008-5153.
- More information:
Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems:
It was discovered that the information stored in the log tables was not properly sanitized, which could allow attackers to inject arbitrary web code.
It was discovered that certain input via the "Login as" function was not properly sanitised leading to the injection of arbitrary web script.
Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update.
For the stable distribution (etch) these problems have been fixed in version 1.6.3-2+etch2.
For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1.
For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4.
We recommend that you upgrade your moodle package.
- Fixed in:
Debian GNU/Linux 4.0 (etch)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.