Bug#703870: moodle: Multiple security issues reported

[Salvatore Bonaccorso]

Source: moodle
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for moodle.

CVE-2013-1829[0]:
Calendar subscription capability issue

(this seems not to affect moodle in Debian as versions affected are
reported as 2.4 to 2.4.1)

CVE-2013-1830[1]:
Information leak in course profiles

CVE-2013-1831[2]:
Server information revealed through exception messages

CVE-2013-1832[3]:
Password revealed in WebDav repository

CVE-2013-1833[4]:
Cross-site scripting issue in Filepicker

CVE-2012-3363[5]:
| Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before
| 1.12.0 does not properly handle SimpleXMLElement classes, which allows
| remote attackers to read arbitrary files or create TCP connections via
| an external entity reference in a DOCTYPE element in an XML-RPC
| request, aka an XML external entity (XXE) injection attack.

CVE-2013-1834[6]:
Form manipulation issue in notes

CVE-2013-1835[7]:
Personal information leak through repositories

CVE-2013-1836[8]:
Unauthorised settings editing through WebDav repository

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1829
    http://security-tracker.debian.org/tracker/CVE-2013-1829
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1830
    http://security-tracker.debian.org/tracker/CVE-2013-1830
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1831
    http://security-tracker.debian.org/tracker/CVE-2013-1831
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1832
    http://security-tracker.debian.org/tracker/CVE-2013-1832
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1833
    http://security-tracker.debian.org/tracker/CVE-2013-1833
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363
    http://security-tracker.debian.org/tracker/CVE-2012-3363
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1834
    http://security-tracker.debian.org/tracker/CVE-2013-1834
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1835
    http://security-tracker.debian.org/tracker/CVE-2013-1835
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1836
    http://security-tracker.debian.org/tracker/CVE-2013-1836

Please adjust the affected versions in the BTS as needed.

Thank you for your work!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org