lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20081023213341.GD21108@outflux.net>
Date: Thu, 23 Oct 2008 14:33:41 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-658-1] Moodle vulnerability

===========================================================
Ubuntu Security Notice USN-658-1           October 23, 2008
moodle vulnerability
CVE-2008-1502, CVE-2008-1502
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  moodle                          1.8.2-1ubuntu2.1

Ubuntu 8.04 LTS:
  moodle                          1.8.2-1ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Lukasz Pilorz discovered that the HTML filtering used in Moodle was not
strict enough.  A remote attacker could send malicious requests to Moodle
and execute arbitrary code as the web server user.


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu2.1.diff.gz
      Size/MD5:    19705 cddd2761b29fe98f6f0686155b299f48
    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu2.1.dsc
      Size/MD5:      741 1590c124a2dbff31fa8aee6f5a3add91
    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2.orig.tar.gz
      Size/MD5: 10157112 4e6afcfd567571af0638533d157f9181

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu2.1_all.deb
      Size/MD5:  9294484 c7ec1ead92a220103ea5ca5b439718bb

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.1.diff.gz
      Size/MD5:    19903 31e6f4b817f844d93c4704cdfa70caf0
    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.1.dsc
      Size/MD5:      741 7968ef24932d8eae67263dc57985050c
    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2.orig.tar.gz
      Size/MD5: 10157112 4e6afcfd567571af0638533d157f9181

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubuntu4.1_all.deb
      Size/MD5:  9294736 536da637d3f4f399a467a077575660e4


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ