CVE-2011-4203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4203): CRLF injection vulnerability in calendar/set.php in the Calendar component in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors involving the url variable. I do not believe we are affected for any < 2.2 slots. But I was unable to find information for which version of 2.2 was fixed. The blog at [1] says that this is issue MDL-24808. Help? Thanks. [1] https://penturalabs.wordpress.com/2011/12/13/advisory-crlf-injection-vulnerability-in-moodle/
(In reply to comment #0) > CVE-2011-4203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4203): > CRLF injection vulnerability in calendar/set.php in the Calendar component > in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and > 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct > HTTP response splitting attacks via vectors involving the url variable. > > > I do not believe we are affected for any < 2.2 slots. But I was unable to find > information for which version of 2.2 was fixed. The blog at [1] says that this > is issue MDL-24808. Help? Thanks. > > [1] > https://penturalabs.wordpress.com/2011/12/13/advisory-crlf-injection-vulnerability-in-moodle/ The fix should be in all current moodle ebuilds. 1.9.16, 2.0.7 and 2.2.1 fixed the issue. They were all released at the same time and I added the ebuilds to the tree at the same time.
(In reply to comment #1) > The fix should be in all current moodle ebuilds. 1.9.16, 2.0.7 and 2.2.1 fixed > the issue. They were all released at the same time and I added the ebuilds to > the tree at the same time. Great, thank you. Resolving as INVALID.