| Summary: | moodle new security issues fixed in 2.6.4 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | dpremy, mageia, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/607135/ | ||
| Whiteboard: | MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | moodle-2.6.3-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-07-18 02:31:39 CEST
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3 Version:
Cauldron =>
4 Working fine on our production Moodle server at work (Mageia 4 i586). I even tried switching back to php-opcache as I had had problems with it before, but one of our recent PHP updates must have fixed that too. Nice! Whiteboard:
MGA3TOO =>
MGA3TOO MGA4-32-OK On MGA4-64 I was able to install Moodle and get a basic site up and running, then upgraded and went through the db upgrade with no issue. I don't have a pre-built site but those options I tried worked. CC:
(none) =>
dpremy Details on the issues fixed in this round of Moodle updates were released: http://www.openwall.com/lists/oss-security/2014/07/21/2 Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.4, serialised data passed by repositories could potentially contain objects defined by add-ons that could include executable code (CVE-2014-3541). In Moodle before 2.6.4, it was possible for manipulated XML files passed from LTI servers to be interpreted by Moodle to allow access to server-side files (CVE-2014-3542). In Moodle before 2.6.4, it was possible for manipulated XML files to be uploaded to the IMSCC course format or the IMSCP resource to allow access to server-side files (CVE-2014-3543). In Moodle before 2.6.4, filtering of the Skype profile field was not removing potentially harmful code (CVE-2014-3544). In Moodle before 2.6.4, it was possible to inject code into Calculated questions that would be executed on the server (CVE-2014-3545). In Moodle before 2.6.4, it was possible to get limited user information, such as user name and courses, by manipulating the URL of profile and notes pages (CVE-2014-3546). In Moodle before 2.6.4, the details of badges from external sources were not being filtered (CVE-2014-3547). In Moodle before 2.6.4, content of exception dialogues presented from AJAX calls was not being escaped before being presented to users (CVE-2014-3548). In Moodle before 2.6.4, fields in rubrics were not being correctly filtered (CVE-2014-3551). In Moodle before 2.6.4, forum was allowing users who were members of more than one group to post to all groups without the capability to access all groups (CVE-2014-3553). The moodle package has been updated to version 2.6.4, to fix these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3542 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3553 https://moodle.org/mod/forum/discuss.php?d=264262 https://moodle.org/mod/forum/discuss.php?d=264263 https://moodle.org/mod/forum/discuss.php?d=264264 https://moodle.org/mod/forum/discuss.php?d=264265 https://moodle.org/mod/forum/discuss.php?d=264266 https://moodle.org/mod/forum/discuss.php?d=264267 https://moodle.org/mod/forum/discuss.php?d=264268 https://moodle.org/mod/forum/discuss.php?d=264269 https://moodle.org/mod/forum/discuss.php?d=264270 https://moodle.org/mod/forum/discuss.php?d=264273 http://docs.moodle.org/dev/Moodle_2.6.4_release_notes Advisory uploaded. This still needs to be tested on mga3 before it can be validated. CC:
(none) =>
remi
Rémi Verschelde
2014-07-28 20:20:33 CEST
Whiteboard:
MGA3TOO MGA4-32-OK MGA4-64-OK advisory =>
MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK advisory Fedora has issued an advisory for this on July 22: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/136159.html URL:
(none) =>
http://lwn.net/Vulnerabilities/607135/ Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 Please push this to core/updates for Mageia 3 and Mageia 4. Keywords:
(none) =>
validated_update Made sure it installs in Mageia 3 32bit. Whiteboard:
MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK advisory =>
MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK advisory Update pushed. http://advisories.mageia.org/MGASA-2014-0308.html Status:
NEW =>
RESOLVED |