Summary
The remote host is missing an update to moodle
announced via advisory FEDORA-2009-3280.
Solution
Apply the appropriate updates.
This update can be installed with the yum update program. Use su -c 'yum update moodle' at the command line.
For more information, refer to Managing Software with yum, available at http://docs.fedoraproject.org/yum/.
https://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-3280
Insight
Moodle is a course management system (CMS) - a free, Open Source software package designed using sound pedagogical principles, to help educators create effective online learning communities.
Update Information:
CVE-2009-1171: The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a $$ sequence, which causes LaTeX to include the contents of the file.
Upstream bug and CVS commit:
http://tracker.moodle.org/browse/MDL-18552
http://cvs.moodle.org/moodle/filter/tex/filter.php?r1=1.18.4.4&r2=1.18.4.5
Upstream further reported that the above patch is not sufficient and following change should be used instead:
For >=1.9.0: http://git.catalyst.net.nz/gw?p=moodle-r2.git a=commitdiff
h=b950f126018a9e16a298d278375a0eedf791e5dd
For 1.6.* - 1.8.*: http://git.catalyst.net.nz/gw?p=moodle-r2.git a=commitdiff
h=cc9bf1486e7ea9e8cda1e4522b96e07245459a0d
ChangeLog:
* Wed Apr 1 2009 Jon Ciesla - 1.9.4-6
- Patch for CVE-2009-1171, BZ 493109.
* Tue Mar 24 2009 Jon Ciesla - 1.9.4-5
- Update for freefont->gnu-free-fonts change.
References
Severity
Classification
-
CVE CVE-2008-4796, CVE-2008-5153, CVE-2009-0499, CVE-2009-1171 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities