Moodle has released version 2.4.6 on September 9:
The issues fixed in this release will be listed in the release notes:
The bugs fixed are already there, but the security issues won't be listed there until next week, so an advisory won't be available until then.
In the meantime, this could still be tested, as I've uploaded updated packages for Mageia 3 and Cauldron. No changes have been made other than updating to 2.4.6.
For testing instructions, see:
Updated package in core/updates_testing:
Steps to Reproduce:
Testing complete on both arches, just that moodle is working.
Waiting for the advisory before validating.
Details and CVEs have been released:
Note that the MSA-13-0032/CVE-2012-6087 issue had already been fixed locally in our package since it was first imported.
Updated moodle package fixes security vulnerabilities:
Null characters were allowed in query strings in Moodle before 2.4.6, which
caused sql statements to terminate and fail, potentially allowing sql
injection in Moodle's SQL Server driver (CVE-2013-4313).
Links to external blogs were not being adequately cleaned in Moodle before
2.4.6, potentially allowing for XSS attacks (CVE-2013-4341).
Updated packages in core/updates_testing:
Advisory uploaded, thanks David.
Could sysadmin please push from 3 core/updates_testing to updates