| Summary: | moodle new security issues fixed in 2.8.12 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/688054/ | ||
| Whiteboard: | has_procedure advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | moodle-2.8.11-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-05-10 16:12:18 CEST
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3 Whiteboard:
(none) =>
has_procedure Working fine on our production Moodle server at work, Mageia 5 i586. Whiteboard:
has_procedure =>
has_procedure MGA5-32-OK Testing M5 x64 real hardware, PostgreSQL Re-installed Moodle with Postgres from scratch. https://docs.moodle.org/30/en/PostgreSQL $ psql -U postgres Password for user postgres: Create the user for the Moodle database and assign a password: postgres=# CREATE USER <moodleuser> WITH PASSWORD '<yourpassword>'; Create the database: postgres=# CREATE DATABASE moodle WITH OWNER <moodleuser>; Edited /var/www/moodle/config.php : $CFG->dbtype = 'pgsql'; $CFG->dbname = 'moodle'; $CFG->dbuser = '<moodleDBuser>'; $CFG->dbpass = '<DBuserpassword>'; http://localhost/moodle then leads to a *very long* verification & setup sequence. Note well the Moodle admin username & rigorous password you define! Played minimally, upgraded without problems to: moodle-2.8.12-1.mga5 http://localhost/moodle displayed immediately the default site page; but loging in as admin yields another *long* verification:confirmation process. At the end of which, the system works OK. (Well, I did get a pop-up JSON error when trying inexpertly to add a lesson to a course; ignoring that). CC:
(none) =>
lewyssmith
claire robinson
2016-05-12 13:39:59 CEST
Keywords:
(none) =>
validated_update Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.8.12, users are able to change profile fields that were locked by the administrator (CVE-2016-3729). In Moodle before 2.8.12, names of hidden forums or discussions could be disclosed as part of the error message on the subscription page (CVE-2016-3731). In Moodle before 2.8.12, users can view badges of other users without proper permissions (CVE-2016-3732). In Moodle before 2.8.12, during the course restore, teachers could overwrite the idnumber even without having the capability to change it (CVE-2016-3733). In Moodle before 2.8.12, possible CSRF in the URL that marks forum posts as read (CVE-2016-3734). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3729 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3731 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3732 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3733 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3734 https://moodle.org/mod/forum/discuss.php?d=333186 https://moodle.org/mod/forum/discuss.php?d=333189 https://moodle.org/mod/forum/discuss.php?d=333190 https://moodle.org/mod/forum/discuss.php?d=333191 https://moodle.org/mod/forum/discuss.php?d=333192 https://docs.moodle.org/dev/Moodle_2.8.12_release_notes https://moodle.org/mod/forum/discuss.php?d=332775
claire robinson
2016-05-18 18:44:35 CEST
Whiteboard:
has_procedure MGA5-32-OK MGA5-64-OK =>
has_procedure advisory MGA5-32-OK MGA5-64-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0180.html Status:
NEW =>
RESOLVED
David Walser
2016-05-19 16:42:43 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/688054/ |