Details for security issues fixed in Moodle 2.4.8 were released on January 20: http://openwall.com/lists/oss-security/2014/01/20/1 Reproducible: Steps to Reproduce:
Status: NEW => ASSIGNEDWhiteboard: (none) => MGA3TOO
Fedora has issued an advisory for this on January 23: https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html
URL: (none) => http://lwn.net/Vulnerabilities/583668/
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.4.8, some password changes on admin pages were being recorded and shown to administrators in the config log report (CVE-2014-0008). In Moodle before 2.4.8, users were able to log in as a user who in a is not in the same group without the permission to see all groups (CVE-2014-0009). In Moodle 2.4.8, custom profile fields and categories were open to deletion without proper session checking, due to two Cross-site Request Forgery(CSRF) vulnerabilities in /user/profile/index.php (CVE-2014-0010). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0010 https://moodle.org/mod/forum/discuss.php?d=252414 https://moodle.org/mod/forum/discuss.php?d=252415 https://moodle.org/mod/forum/discuss.php?d=252416 http://docs.moodle.org/dev/Moodle_2.4.8_release_notes https://moodle.org/mod/forum/discuss.php?d=251856 https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html ======================== Updated packages in core/updates_testing: ======================== moodle-2.4.8-1.mga3 moodle-2.4.8-1.mga4 from SRPMS: moodle-2.4.8-1.mga3.src.rpm moodle-2.4.8-1.mga4.src.rpm
Version: Cauldron => 4Assignee: luigiwalser => qa-bugsSeverity: normal => major
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10755#c2
CC: (none) => stormiWhiteboard: MGA3TOO => MGA3TOO has_procedure
I tried to follow the procedure in comment #3. I had to install apache in addition to the steps described there. However, httpd won't start, fails with the following error (related to moodle): Feb 11 12:29:04 localhost systemd[1]: Starting The Apache HTTP Server... Feb 11 12:29:04 localhost httpd[18294]: AH00526: Syntax error on line 32 of /etc/httpd/conf/sites.d/moodle.conf: Feb 11 12:29:04 localhost httpd[18294]: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the ...uration Feb 11 12:29:04 localhost systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Feb 11 12:29:04 localhost httpd[18295]: AH00526: Syntax error on line 32 of /etc/httpd/conf/sites.d/moodle.conf: Feb 11 12:29:04 localhost httpd[18295]: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the ...uration Feb 11 12:29:04 localhost systemd[1]: Failed to start The Apache HTTP Server. Feb 11 12:29:04 localhost systemd[1]: Unit httpd.service entered failed state This is because apache-mod_php is missing. After installing it, it works. Missing deps (or instructions) in moodle?
Apart from the missing dependency, seems to work ok in i586. I haven't tested the migration, I will do it in my 64 bits test.
Testing mga3 64 complete. Followed procedure with release (or updates) moodle before updating the package from updates testing. Then connected to moodle, followed the upgrade steps it asked me to follow, and all went well. Created a second course. Not validating until we create a bug report for the dependency problem.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK
It's not a dependency "problem." The dependencies are the same in Fedora too, and would be most other places. I do use Apache, but it's not the only webserver.
If it requires a webserver, shouldn't it require or at least suggest the "webserver" provides? I was not talking about requiring apache specifically. As for apache-mod_php, I don't know what's the equivalent for other webservers nor if they have a common provides. But this is out of scope for this update.
(In reply to Samuel VERSCHELDE from comment #8) > If it requires a webserver, shouldn't it require or at least suggest the > "webserver" provides? I was not talking about requiring apache specifically. Yes, this should be on its own site http://docs.moodle.org/24/en/Installing_Moodle#Software which mentions "Primarily Apache or IIS. Not fully tested (or supported) but should work are Lighttpd, Nginx, Cherokee, Zeus and LiteSpeed" and "PHP - The minimum version is currently 5.3.2. A number of extensions are required; see the PHP page for full details" but those are PHP *not* Apache extns. Refer to MoodleDocs.
CC: (none) => lewyssmith
Back to Mageia 4 64-bit test on real hardware. Summary of steps taken: Install from base (this is considerable): - Apache - apache-mod_php - Mariadb - Moodle [moodle-2.4.7-1.mga4] systemctl enable httpd.service systemctl start httpd.service systemctl enable mysqld.service systemctl start mysqld.service Then as Bug 10755 comment 2 mysql onwards. The setup is long & thorough. Created myself as admin [attention to note well the username & fiddly password], and a 1-item course with myself subscribed. Logout. In 'test repository mode', updated Moodle from Mageia Control Centre to moodle-2.4.8-1.mga4 On re-logging in it recognised it had been updated, plus a few extras. Just carrying on, all its updates went well, thorough but quick. Then added something to the course, all worked fine (within the context of not knowing what to do!). MGA4-64-OK
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK
Testing Mageia 4 i586.
CC: (none) => remi
Testing complete Mageia 4 i586, following the helpful procedure from comment 3 and with apache and apache-mod_php as pointed out by Stormi. I could set up everything a register a "QA Testing 101" course. -- Validating update. Could someone upload the advisory in comment 2 and a sysadmin push the update from core/updates_testing to core/updates for both Mageia 3 and 4?
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
Update pushed: http://advisories.mageia.org/MGASA-2014-0053.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED