Upstream has released updates on March 10: https://moodle.org/mod/forum/discuss.php?d=255903 Details on the security issues fixed are not yet available, but likely will be next week (probably Monday) on the release notes pages: http://docs.moodle.org/dev/Moodle_2.4.9_release_notes Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. I'll write an advisory once the details are available. Updated packages in core/updates_testing: ======================== moodle-2.4.9-1.mga3 moodle-2.4.9-1.mga4 from SRPMS: moodle-2.4.9-1.mga3.src.rpm moodle-2.4.9-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => MGA3TOO has_procedure
Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.4.9, question strings were not being filtered correctly possibly allowing cross site scripting, as quiz_question_tostring can cause invalid HTML (MSA-14-0004). Feedback Availability dates not honored in complete.php in Moodle before 2.4.9, therefore it was possible to start a Feedback activity while it was supposed to be closed (CVE-2014-0127). Broken access control vulnerability in Moodle before 2.4.9 with /mod/chat/chat_ajax.php, where capabilities to chat were being checked at the start of a chat, but not during, so changes were not effective immediately (CVE-2014-0122). In Moodle before 2.4.9, there were missing access checks on Wiki pages allowing students to see pages of other students' individual wikis, through the Recent activity block (CVE-2014-0123). In Moodle before 2.4.9, cross site scripting was possible with Flowplayer (MSA-14-0008). In Moodle before 2.4.9, Forum and Quiz were showing users' email addresses when settings were supposed to be preventing this (CVE-2014-0124). In Moodle before 2.4.9, alias links to items in an Alfresco repository were provided with information that would allow someone to impersonate the file owner in Alfresco (CVE-2014-0125). Cross Site Request Forgery in Moodle before 2.4.9 in enrol/imsenterprise/importnow.php, due to inadequate session checking when triggering the import of IMS Enterprise identities (CVE-2014-0126). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0123 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0127 https://moodle.org/mod/forum/discuss.php?d=256416 https://moodle.org/mod/forum/discuss.php?d=256417 https://moodle.org/mod/forum/discuss.php?d=256418 https://moodle.org/mod/forum/discuss.php?d=256419 https://moodle.org/mod/forum/discuss.php?d=256420 https://moodle.org/mod/forum/discuss.php?d=256421 https://moodle.org/mod/forum/discuss.php?d=256422 https://moodle.org/mod/forum/discuss.php?d=256423 http://docs.moodle.org/dev/Moodle_2.4.9_release_notes https://moodle.org/mod/forum/discuss.php?d=255903
CVEs were assigned for a few of the issues that were missing them: http://openwall.com/lists/oss-security/2014/03/22/1 Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.4.9, question strings were not being filtered correctly possibly allowing cross site scripting, as quiz_question_tostring can cause invalid HTML (CVE-2014-2571). Feedback Availability dates not honored in complete.php in Moodle before 2.4.9, therefore it was possible to start a Feedback activity while it was supposed to be closed (CVE-2014-0127). Broken access control vulnerability in Moodle before 2.4.9 with /mod/chat/chat_ajax.php, where capabilities to chat were being checked at the start of a chat, but not during, so changes were not effective immediately (CVE-2014-0122). In Moodle before 2.4.9, there were missing access checks on Wiki pages allowing students to see pages of other students' individual wikis, through the Recent activity block (CVE-2014-0123). In Moodle before 2.4.9, cross site scripting was possible with Flowplayer (CVE-2013-7341). In Moodle before 2.4.9, Forum and Quiz were showing users' email addresses when settings were supposed to be preventing this (CVE-2014-0124). In Moodle before 2.4.9, alias links to items in an Alfresco repository were provided with information that would allow someone to impersonate the file owner in Alfresco (CVE-2014-0125). Cross Site Request Forgery in Moodle before 2.4.9 in enrol/imsenterprise/importnow.php, due to inadequate session checking when triggering the import of IMS Enterprise identities (CVE-2014-0126). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7341 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0123 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2571 https://moodle.org/mod/forum/discuss.php?d=256416 https://moodle.org/mod/forum/discuss.php?d=256417 https://moodle.org/mod/forum/discuss.php?d=256418 https://moodle.org/mod/forum/discuss.php?d=256419 https://moodle.org/mod/forum/discuss.php?d=256420 https://moodle.org/mod/forum/discuss.php?d=256421 https://moodle.org/mod/forum/discuss.php?d=256422 https://moodle.org/mod/forum/discuss.php?d=256423 http://docs.moodle.org/dev/Moodle_2.4.9_release_notes https://moodle.org/mod/forum/discuss.php?d=255903
Trying for M4 on real 64-bit hardware. Installed & primed Moodle moodle-2.4.8-1.mga4 from normal repositories as per: 12385/10, 10755/2. Updated to moodle-2.4.9-1.mga4 from Updates Testing, re-launched it. It recognised that it had been updated, OK'd its system requirements, then its Plugin checks gave: - Formal languages block addon to be Updated, with an Install button. Clicking this yielded -> https://moodle.org/plugins/download.php/3120/block_formal_langs_moodle24_2012021402.zip, Install this update -> "Failed to find /localhost/moodle/mdeploy.php" A second attempt gave: Oops! It did it again Moodle deployment utility had a trouble with your request. See the docs page http://docs.moodle.org/en/admin/mdeploy/unauthorized_access_exception and the debugging information for more details. exception 'unauthorized_access_exception' with message 'Unable to read the passphrase file.' in mdeploy.php:845 Stack trace: #0 mdeploy.php(714): worker->authorize() #1 mdeploy.php(1399): worker->execute() #2 {main} - Alfresco repository To be upgraded. Advice welcome to advance this, please.
CC: (none) => lewyssmith
It shouldn't be pulling anything from the internet or running mdeploy. On the plugin checks page just click the thing at the bottom of the page.
Fedora has issued an advisory for this on March 21: https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130741.html
URL: (none) => http://lwn.net/Vulnerabilities/592585/
(In reply to David Walser from comment #5) > It shouldn't be pulling anything from the internet or running mdeploy. On > the plugin checks page just click the thing at the bottom of the page. Thanks David. Yes, you ignore the individual plugin items, click 'update database' at page bottom, & the plugin updates happen. A bit disconcerting that it then goes on to advise a more recent version available... Ignoring that, login as admin, all trivial things I tried worked. Deemed OK for MAG4 64-bit.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Severity: normal => major
Testing mga4 32
Testing complete mga4 32 Testing mga3 64 next.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure mga4-64-ok MGA4-64-OK
Testing mga3 64 I'm finding when installing the current version it causes apache to segfault after the environment check. http://mga364/moodle/admin/index.php?agreelicense=1&confirmrelease=1&lang=en I'll see if the update does the same. Suhosin isn't installed.
Yes, the update segfaults here too at the same stage. Tried with php-suhosin installed and it's the same.
I'll clean all traces and try it again to rule out old cruft from previous testing.
Well apache segfaults aren't Moodle's fault, they're caused by bugs farther down the stack, either in PHP or Apache themselves, or in libraries they're using. I already fixed one in Mageia 4 with the libzip update (pending QA), and I had yesterday Apache segfaulting whenever you tried to connect to https, but restarting httpd made that go away (for now I guess). I haven't run it in production on Mageia 3, I just jumped from Mageia 2 to Mageia 4 last week. I guess I can see why tmb has concerns about updating Mageia's wiki server from Mageia 2 to Mageia 4. It'd be nice if we could see where the segfault is coming from exactly, but at least on Mageia 4, Apache will not produce a backtrace no matter what I do. I think the closest thing I got to anything useful was running strace httpd -M, so I could at least get some idea of what was going on before the crash, but it should have been obvious anyway based on what I was doing in Moodle.
(In reply to David Walser from comment #13) > > It'd be nice if we could see where the segfault is coming from exactly, but > at least on Mageia 4, Apache will not produce a backtrace no matter what I > do. I think the closest thing I got to anything useful was running strace > httpd -M, so I could at least get some idea of what was going on before the > crash, but it should have been obvious anyway based on what I was doing in > Moodle. gdb /sbin/httpd run -X should produce a backtrace.
CC: (none) => ftg
One problem solved, another encountered. It was failing during installation due to missing some packages from the php update on that VM so php had mixed versions. It now segfaults during the upgrade after installing updated moodle, same stage oddly enough, it does the environment check where everything was green OK and then segfaults at the next stage :\
And now, 3rd time trying, it went OK. It's a bit hit'n'miss.
(In reply to Frank Griffin from comment #14) > gdb /sbin/httpd > run -X > > should produce a backtrace. Should. Doesn't.
Testing complete mga3 64. Once it worked, it upgraded itself OK and was fine afterwards. Not sure what was causing the apache segfaults but it'll be interesting to see if they happen for anybody else so I'll leave mga3 i586 for somebody else.
Whiteboard: MGA3TOO has_procedure mga4-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-64-ok mga4-64-ok MGA4-64-OK
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-64-ok mga4-32-ok MGA4-64-OK
I just ran through a fresh Moodle setup in a Mageia 3 i586 VM and didn't have any issues. I also tested an upgrade from Moodle 2.4.7. I think this can be validated.
Thanks David. Adding the OK. Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0160.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED