Mageia Bugzilla – Bug 10755
moodle new security issues fixed in 2.4.5
Last modified: 2014-05-08 18:05:42 CEST
Moodle has released version 2.4.5 on July 8:
The issues fixed in this release will be listed in the release notes:
The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.
In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron. No changes have been made other than updating to 2.4.5.
Updated package in core/updates_testing:
Steps to Reproduce:
For testing instructions, see:
Updated moodle package fix security vulnerabilities:
Flash files distributed with the YUI library in Moodle before 2.4.5 may have
allowed for cross-site scripting attacks (MSA-13-0025).
Privacy settings for the IMS-LTI (External tool) module in Moodle before
2.4.5 were not able to be changed so personal information was always
Users were able to access a daemon-mode Chat activity in Moodle before 2.4.5
without the required capability (CVE-2013-2242).
It was possible to determine answers from ID values in Lesson activity
matching questions in Moodle before 2.4.5 (CVE-2013-2243).
Conditional access rule values for user fields were able to contain unescaped
HTML/JS that would be output to users in Moodle before 2.4.5 (CVE-2013-2244).
When impersonating another user using RSS tokens in Moodle before 2.4.5, an
error was displayed, but block information relevant to the person being
impersonated was shown (CVE-2013-2245).
The Feedback module in Moodle before 2.4.5 was showing personal information
to users without the needed capability (CVE-2013-2246).
To get this up and running, it's similar to other web app packages.
systemctl enable mysqld.service
systemctl start mysqld.service
mysql -u root
mysql> create database moodle;
mysql> create user 'moodle'@'localhost' identified by '<PASSWORD>';
mysql> grant all on moodle.* to 'moodle'@'localhost';
mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
Then, edit /var/www/moodle/config.php, and in the empty single quotes for dbuser and dbpass, put 'moodle' for dbuser (or whatever user you created in the create user command in mysql), and the password you used in the create user mysql command in for dbpass.
Then browse to http://localhost/moodle to complete the setup.
There's a lot more documentation on using moodle at:
Sorry David, I didn't notice you'd already given a link.
Testing mga3 64
Installed and configured with the admin user and created a sample course.
Installed the update candidate and it then offered to upgrade the database and one plugin, I thought I'd remember it's name but I don't :\
All OK after doing so, the login and course are still present.
Testing complete mga3 64
Testing mga3 32
Testing complete mga3 32
Validating. Advisory from comment 0 uploaded.
Could sysadmin please push from 3 core/updates_testing to core/updates