2:53 p.m.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle
multiple vulnerabilities
Product: Fedora Extras
Version: fc5
Platform: All
OS/Version: Linux
Status: NEW
Severity: high
Priority: normal
Component: moodle
AssignedTo: imlinux(a)gmail.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-security-
list(a)redhat.com
Moodle 1.6.1 and earlier are reportedly vulnerable to:
- cross site scripting (CVE-2006-4784)
- SQL injection (CVE-2006-4785)
- sensitive information disclosure (CVE-2006-4786)
FE-4, FE-5 and devel apparently affected.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
3:22 p.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
------- Additional Comments From tibbs(a)math.uh.edu 2006-09-14 16:21 EST -------
At this time I'm having difficulty verifying that the 1.5.4 release is
vulnerable. Secunia is still saying 1.6.x, and that other versions may be
vulnerable. Moodle.org doesn't have anything to say about the matter other than
the 1.6.2 release indicating security fixes. (The 1.5 branch is still
maintained, but shows no related changes.)
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
9:33 p.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
imlinux(a)gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Additional Comments From imlinux(a)gmail.com 2006-09-14 22:33 EST -------
I'll keep my eye open as well, I'll probably just update for update's sake
though there's some patches I don't fully understand being applied to that
packge. (new maintainer)
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
10:31 p.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
------- Additional Comments From tibbs(a)math.uh.edu 2006-09-14 23:30 EST -------
Let me know if you need assistance. I have some experience with Moodle but no
longer use it here; I updated the package previously to deal with a security
issue but I have little interest in maintaining it in the long term.
I admit to being confused by the patches as well; I understand what they're
doing but I don't really understand why they need to be applied. And of course
there's no documentation. I'm beginning to think that we should require that
all patches have at least a line of comment in the spec file indicating what
they change and why they need to be applied.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
2:14 p.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
------- Additional Comments From ville.skytta(a)iki.fi 2006-09-27 15:14 EST -------
More issues reported mostly against 1.6.1 and earlier or 1.6.2 and earlier:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4943
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4942
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4941
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4940
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4937
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4936
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4935
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
2:31 p.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
------- Additional Comments From imlinux(a)gmail.com 2006-09-27 15:31 EST -------
Actually I'd really appreciate that, I haven't had time to sit down and really
look at what the patches do. I took this from ignacio because I felt it was
important enough to make sure it was maintained and because no one else wanted
it :D.
tibbs: If you have some time and can help me out, by all means have at it.
I'm not against removing the patches to see what happens, people may not even be
using them.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
3:36 p.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
------- Additional Comments From tibbs(a)math.uh.edu 2006-09-27 16:36 EST -------
As far as I can tell, none of the CVEs in comment #4 apply to moodle 1.5.4.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
1:25 p.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
------- Additional Comments From ville.skytta(a)iki.fi 2006-10-10 14:24 EST -------
Yet one more for 1.6.2: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5219
If this new doesn't affect the packaged versions and all the earlier reported
ones have been verified to not affect them either, perhaps someone who has
done the verification could close this bug?
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
3:30 p.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
------- Additional Comments From imlinux(a)gmail.com 2006-10-13 16:30 EST -------
FYI, I've been working to update this to 1.6.3. I'm going to release a version
to devel today. FC[4-5] to follow.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
9:09 a.m.
New subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516
imlinux(a)gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |CLOSED
Resolution| |NEXTRELEASE
------- Additional Comments From imlinux(a)gmail.com 2006-10-27 10:09 EST -------
No one has complained, I'll be rebuilding FC4 and 5 immediately.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
6391
days inactive
6434
days old
security@lists.fedoraproject.org
9 comments
1 participants
participants (1)
-
Red Hat Bugzilla