Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68824

Have a CVE / MSA security data in update api / feed with security report checks

    XMLWordPrintable

    Details

      Description

      Most partners have their ear to the ground for security issues, but we'd still like to automate this.

      Currently the only place I'm aware of that you can get CVE to MSA to Tracker MDL mapping is this forum after they are released:

      https://moodle.org/mod/forum/view.php?id=7128

      eg:

      https://moodle.org/mod/forum/discuss.php?d=403513

       

      1) I just want all that same data in a more solid programmatic form:

      Severity/Risk: Serious
      Versions affected: 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions
      Versions fixed: 3.8.3, 3.7.6, 3.6.10 and 3.5.12
      Reported by: Paul Holden
      Workaround: Disable the 'SCORM package' activity type until the patch is applied.
      CVE identifier: CVE-2020-10738
      Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68410
      Tracker issue: MDL-68410 Remote code execution possible via SCORM packages

       

      2) I think the API that moodle calls to grab the updates needs to also be aware of the presence and severity of any issues:

      https://download.moodle.org/api/1.3/updates.php

       

      3) Write Check API checks for this in the security report:

      /report/security/index.php

      3.1) This should show as a warning as soon as there is a serious security patch available which hasn't been applied. The check detail can show the MSA's and deep link to the public security forum post for that MSA.

      3.2) This should show as an critical if it still hasn't been applied after some configurable period which might default to 1 week

      3.3) This should show as Info if there is a minor non security patch which isn't applied

      3.4) This should show as warning if there is a minor non security patch which isn't applied after some more generous time period maybe a month

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            brendanheywood Brendan Heywood
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Matteo Scaramuccia, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: