Upstream has issued new releases today (May 12): http://docs.moodle.org/dev/Moodle_2.4.10_release_notes http://docs.moodle.org/dev/Moodle_2.6.3_release_notes Details on the security issues fixed are not yet available, but likely will be next week (probably Monday) on the release notes pages. I'll have to check the 2.4.10 release notes to see which issues our current 2.4.9 is vulnerable to. As you can also see, Moodle 2.4 is only in limited support now; it's only supported for security issues, not even bugfixes anymore. Also, according to other documentation, even the security support is expected to end before Mageia 3 EOL. I upgraded our Moodle server to Mageia 4 and updated our local Moodle package to 2.6.2 about 6 weeks ago, and we've run two classes in production with it and it worked well and we didn't have any issues. I just installed 2.6.3 and everything still looks OK. I also tested 2.6.2 on our previous Mageia 2 server and it worked fine there as well. Therefore, I am updating us to the 2.6 branch. Note that updating to 2.6 should also eliminate the issue Lewis pointed out last time: https://bugs.mageia.org/show_bug.cgi?id=13005#c4 Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. I'll write an advisory once the details are available. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3 Updated packages in core/updates_testing: ======================== moodle-2.6.3-1.mga3 moodle-2.6.3-1.mga4 from SRPMS: moodle-2.6.3-1.mga3.src.rpm moodle-2.6.3-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga3 64 After installing the update, on the next visit it asks to perform the update, then checks the plugins. Scrolling to the bottom and clicking to continue does so without error and all is well after it completes.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok
Sorry it was mga3 32 above.
Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-32-ok
Testing complete mga3 64 Installed and updated but this time performed the installation with the testing version.
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing MGA4 64-bit real hardware. The big update went fine; but I have forgotten the admin username & password, so might have to re-install it to actually try it. Grrr.
CC: (none) => lewyssmith
Re-installed [from Updates Testing] moodle-2.6.3-1.mga4. You need to: - Create a MySQL/MariaDB database with: CREATE DATABASE moodle DEFAULT CHARACTER SET UTF8 COLLATE utf8_unicode_ci; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,CREATE TEMPORARY TABLES,DROP,INDEX,ALTER ON moodle.* TO moodleuser@localhost IDENTIFIED BY 'yourpassword'; with your choice of 'moodleuser' & 'yourpassword'. Note them both! - Update /var/www/moodle/config.php dbuser & dbpass with the MySQL/MariaDB user & password for the 'moodle' database. To then launch Moodle on your local machine: http://localhost/moodle The first time demands the administrator username (default 'admin') and very complicated password; be sure to note these permanently! Very basic testing, setting the system up to the point of defining a naked course all seemed to work fine.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK
Well done Lewis. Testing complete mga4 32 too It's missing an advisory though David please.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK
Thanks everyone. I expect to have an advisory tomorrow.
Details on the issues fixed in this round of Moodle updates were released: http://openwall.com/lists/oss-security/2014/05/19/1 Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.3, Session checking was not being performed correctly in Assignment's quick-grading, allowing forged requests to be made unknowingly by authenticated users (CVE-2014-0213). In Moodle before 2.6.3, MoodleMobile web service tokens, created automatically in login/token.php, were not expiring and were valid forever (CVE-2014-0214). In Moodle before 2.6.3, Some student details, including identities, were included in assignment marking pages and would have been revealed to screen readers or through code inspection (CVE-2014-0215). In Moodle before 2.6.3, Access to files linked on HTML blocks on the My home page was not being checked in the correct context, allowing access to unauthenticated users (CVE-2014-0216). In Moodle before 2.6.3, There was a lack of filtering in the URL downloader repository that could have been exploited for XSS (CVE-2014-0218). The 2.4 branch of Moodle will no longer be supported as of approximately June 2014, so the Moodle package has been upgraded to version 2.6.3 to fix these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0214 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0218 https://moodle.org/mod/forum/discuss.php?d=260361 https://moodle.org/mod/forum/discuss.php?d=260362 https://moodle.org/mod/forum/discuss.php?d=260363 https://moodle.org/mod/forum/discuss.php?d=260364 https://moodle.org/mod/forum/discuss.php?d=260366 http://docs.moodle.org/dev/Moodle_2.4.10_release_notes http://docs.moodle.org/dev/Moodle_2.6.3_release_notes
Thanks David, advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0230.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/599629/