Your message dated Mon, 11 Jan 2010 19:48:27 +0000
with message-id <e1nuqfx-0007pv...@ries.debian.org>
and subject line Bug#559531: fixed in moodle 1.8.2.dfsg-6
has caused the Debian Bug report #559531,
regarding moodle: User secrets on backup & restore CVE-2009-4303[2] Patch
supplied
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559531: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: moodle
Version: 1.8.2.dfsg-3+lenny2
Severity: grave
Tags: security
Justification: user security hole
CVE-2009-4303[2]:
| Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password
| hashes and (2) unspecified "secrets" in backup files, which might
| allow attackers to obtain sensitive information.
Searching on Moodle site I found the git commits that fixed this CVE, they are
not complex so I think it's good idea to commit also to Debian Moodle.
http://git.moodle.org/gw?p=moodle.git;a=patch;h=306e851f93d67c6919f11d7c8910af301c57bbbf
Upstream data:
Bug MDL-20932 FIXED Get rid of user->secret in backup
files (and ignore it on restore) Major Resolved
vi...@avalon:~$ svn diff -r3:4 moodle/backup/backuplib.php
Index: moodle/backup/backuplib.php
--- moodle/backup/backuplib.php (revision 3)
+++ moodle/backup/backuplib.php (revision 4)
@@ -1126,7 +1126,6 @@
fwrite ($bf,full_tag("LASTLOGIN",4,false,$user->lastlogin));
fwrite
($bf,full_tag("CURRENTLOGIN",4,false,$user->currentlogin));
fwrite ($bf,full_tag("LASTIP",4,false,$user->lastip));
- fwrite ($bf,full_tag("SECRET",4,false,$user->secret));
fwrite ($bf,full_tag("PICTURE",4,false,$user->picture));
fwrite ($bf,full_tag("URL",4,false,$user->url));
fwrite
($bf,full_tag("DESCRIPTION",4,false,$user->description));
vi...@avalon:~$ svn diff -r3:4 moodle/backup/restorelib.php
Index: moodle/backup/restorelib.php
--- moodle/backup/restorelib.php (revision 3)
+++ moodle/backup/restorelib.php (revision 4)
@@ -4670,9 +4670,6 @@
case "LASTIP":
$this->info->tempuser->lastip =
$this->getContents();
break;
- case "SECRET":
- $this->info->tempuser->secret =
$this->getContents();
- break;
case "PICTURE":
$this->info->tempuser->picture =
$this->getContents();
break;
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (900, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages moodle depends on:
ii apache2-mpm-prefor 2.2.9-10+lenny6 Apache HTTP Server - traditional n
ii debconf [debconf-2 1.5.24 Debian configuration management sy
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii mimetex 1.50-1+lenny1 LaTeX math expressions to anti-ali
ii mysql-client-5.0 [ 5.0.51a-24+lenny2 MySQL database client binaries
ii php5-cli 5.2.6.dfsg.1-1+lenny4 command-line interpreter for the p
ii php5-curl 5.2.6.dfsg.1-1+lenny4 CURL module for php5
ii php5-gd 5.2.6.dfsg.1-1+lenny4 GD module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny4 MySQL module for php5
ii smarty 2.6.20-1.2 Template engine for PHP
ii ucf 3.0016 Update Configuration File: preserv
ii wwwconfig-common 0.1.2 Debian web auto configuration
ii yui 2.5.0-1 Yahoo User Interface Library
ii zip 2.32-1 Archiver for .zip files
Versions of packages moodle recommends:
ii mysql-server-5.0 [ 5.0.51a-24+lenny2 MySQL database server binaries
ii php5-ldap 5.2.6.dfsg.1-1+lenny4 LDAP module for php5
moodle suggests no packages.
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Source: moodle
Source-Version: 1.8.2.dfsg-6
We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:
moodle_1.8.2.dfsg-6.diff.gz
to main/m/moodle/moodle_1.8.2.dfsg-6.diff.gz
moodle_1.8.2.dfsg-6.dsc
to main/m/moodle/moodle_1.8.2.dfsg-6.dsc
moodle_1.8.2.dfsg-6_all.deb
to main/m/moodle/moodle_1.8.2.dfsg-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hubert Chathi <hub...@remote-learner.net> (supplier of updated moodle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Thu, 07 Jan 2010 14:54:54 -0500
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.8.2.dfsg-6
Distribution: unstable
Urgency: low
Maintainer: Moodle Packaging Team <moodle-packag...@catalyst.net.nz>
Changed-By: Hubert Chathi <hub...@remote-learner.net>
Description:
moodle - Course Management System for Online Learning
Closes: 511202 559531
Changes:
moodle (1.8.2.dfsg-6) unstable; urgency=low
.
[Penny Leach]
[ Cherry picked commits from our other branches ]
* Security fixes from lenny ( ca557bfaec1d155e955733686ae6916793e6adc7 )
- MSA-09-0019: SQL injection in update_record
- MSA-09-0022: Multiple CSRF vunrabilities (CVE-2009-4297)
- MSA-09-0023: User account disclosure in LAMS module (CVE-2009-4298)
- MSA-09-0024: Insufficient access control in glossary (CVE-2009-4299)
- MSA-09-0026: Invalid application access control in MNET interface
(CVE-2009-4301)
- MSA-09-0028: Multiple backup/restore related issues (CVE-2009-4303)
- MSA-09-0031: SQL injection in SCORM module (CVE-2009-4305)
- Closes: #559531
* Swedish translation from unfinished 1.9:
da50a5742f4fabf68aa156d81f98e09be34060bc
(Closes: #511202)
* debconf-updatepo from unfinished 1.9:
f525b18d6abd5c796c8cadce6137afd61dd2a4a7
.
[Hubert Chathi]
* move po-debconf to Build-Depends, rather than Build-Depends-Indep (fixes
lintian
error, regarding policy section 7.7)
[ Cherry picked commits from our other branches ]
* Another security fix from lenny ( 9604c6d5b191abaf4e3cc47e7b297984a289769f
)
- MSA-09-0027: Login information can be sent unsecured even when site is
configured
to use SSL for logins (CVE-2009-4302)
Checksums-Sha1:
cd5088ab5864bb2748064e15df5768aafc45a3e5 1304 moodle_1.8.2.dfsg-6.dsc
d8b9e233d02ddad3c5a32b4d5aa5dcdee7757d30 69864 moodle_1.8.2.dfsg-6.diff.gz
5f38213214fc16c7e426a2a63fa3ea608a2a7285 8630926 moodle_1.8.2.dfsg-6_all.deb
Checksums-Sha256:
c46133a69a9ae08fa0086be21f4bac6e1d3c4754420ca1a8ab625f8ec93ac708 1304
moodle_1.8.2.dfsg-6.dsc
1afab0ce1025c2a7363392e9904c12d7470d4636182030007d29915c85ca2618 69864
moodle_1.8.2.dfsg-6.diff.gz
9420c367b2a0390bd5cc8f713c7df7fee4dde9f82595139f77300e86022cd3d6 8630926
moodle_1.8.2.dfsg-6_all.deb
Files:
99626a179c768729cb5c81fd57712567 1304 web optional moodle_1.8.2.dfsg-6.dsc
bafe61f7ad4ff9f168f4e2e5acaafed5 69864 web optional moodle_1.8.2.dfsg-6.diff.gz
02e7b1666faabe1c9b5d1f780b1c44ad 8630926 web optional
moodle_1.8.2.dfsg-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREDAAYFAktLfqMACgkQrynHGRJLYfpNjQCgkGF/NaYxJsaTmaDK/mUQtARH
g5QAnA0IHXghHqXCwFdAvSnBnl/vGj2v
=KRny
-----END PGP SIGNATURE-----
--- End Message ---
