Summary: | www-apps/moodle: CRLF Injection vulnerability (CVE-2011-4203) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | trivial | CC: | blueness, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2012-02-26 22:15:00 UTC
(In reply to comment #0) > CVE-2011-4203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4203): > CRLF injection vulnerability in calendar/set.php in the Calendar component > in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and > 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct > HTTP response splitting attacks via vectors involving the url variable. > > > I do not believe we are affected for any < 2.2 slots. But I was unable to find > information for which version of 2.2 was fixed. The blog at [1] says that this > is issue MDL-24808. Help? Thanks. > > [1] > https://penturalabs.wordpress.com/2011/12/13/advisory-crlf-injection-vulnerability-in-moodle/ The fix should be in all current moodle ebuilds. 1.9.16, 2.0.7 and 2.2.1 fixed the issue. They were all released at the same time and I added the ebuilds to the tree at the same time. (In reply to comment #1) > The fix should be in all current moodle ebuilds. 1.9.16, 2.0.7 and 2.2.1 fixed > the issue. They were all released at the same time and I added the ebuilds to > the tree at the same time. Great, thank you. Resolving as INVALID. |