[SECURITY] Fedora EPEL 6 Update: moodle-2.4.7-1.el6

updates at fedoraproject.org updates at fedoraproject.org
Tue Dec 3 01:22:23 UTC 2013 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2013-12102
2013-11-14 18:13:55
--------------------------------------------------------------------------------

Name        : moodle
Product     : Fedora EPEL 6
Version     : 2.4.7
Release     : 1.el6
URL         : http://moodle.org/
Summary     : A Course Management System
Description :
Moodle is a course management system (CMS) - a free, Open Source software
package designed using sound pedagogical principles, to help educators create
effective online learning communities.

--------------------------------------------------------------------------------
Update Information:

Latest upstreams, multiple security fixes.

Name: CVE-2013-6780
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6780
Assigned: 20131112
Reference: https://yuilibrary.com/support/20131111-vulnerability/

Cross-site scripting (XSS) vulnerability in uploader.swf in the
Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote
attackers to inject arbitrary web script or HTML via the allowedDomain
parameter.

Name: CVE-2013-3630
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3630 [Open">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3630">Open URL]
Assigned: 20130521
Reference: https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one [Open">https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one">Open URL]
Reference: https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats [Open">https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats">Open URL]

Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1025655 - CVE-2013-3630 moodle: authenticated remote command execution [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1025655
  [ 2 ] Bug #1025656 - CVE-2013-3630 moodle: authenticated remote command execution [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1025656
  [ 3 ] Bug #1030084 - CVE-2013-6780 moodle: XSS vulnerability in YUI 2.5.0 through 2.9.0 [epel-5]
        https://bugzilla.redhat.com/show_bug.cgi?id=1030084
  [ 4 ] Bug #1030085 - CVE-2013-6780 moodle: XSS vulnerability in YUI 2.5.0 through 2.9.0 [fedora-18]
        https://bugzilla.redhat.com/show_bug.cgi?id=1030085
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update moodle' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list