Debian Security Advisory
DSA-1724-1 moodle -- several vulnerabilities
- Date Reported:
- 13 Feb 2009
- Affected Packages:
- moodle
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 514284.
In Mitre's CVE dictionary: CVE-2009-0500, CVE-2009-0502, CVE-2008-5153. - More information:
-
Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2009-0500
It was discovered that the information stored in the log tables was not properly sanitized, which could allow attackers to inject arbitrary web code.
- CVE-2009-0502
It was discovered that certain input via the "Login as" function was not properly sanitised leading to the injection of arbitrary web script.
- CVE-2008-5153
Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update.
For the stable distribution (etch) these problems have been fixed in version 1.6.3-2+etch2.
For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1.
For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4.
We recommend that you upgrade your moodle package.
- CVE-2009-0500
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.dsc
- http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz
- http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2_all.deb
MD5 checksums of the listed files are available in the original advisory.