Upstream has issued new releases today (May 12):
Details on the security issues fixed are not yet available, but likely will be next week (probably Monday) on the release notes pages. I'll have to check the 2.4.10 release notes to see which issues our current 2.4.9 is vulnerable to.
As you can also see, Moodle 2.4 is only in limited support now; it's only supported for security issues, not even bugfixes anymore. Also, according to other documentation, even the security support is expected to end before Mageia 3 EOL.
I upgraded our Moodle server to Mageia 4 and updated our local Moodle package to 2.6.2 about 6 weeks ago, and we've run two classes in production with it and it worked well and we didn't have any issues. I just installed 2.6.3 and everything still looks OK. I also tested 2.6.2 on our previous Mageia 2 server and it worked fine there as well. Therefore, I am updating us to the 2.6 branch.
Note that updating to 2.6 should also eliminate the issue Lewis pointed out last time:
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.
I'll write an advisory once the details are available.
Updated packages in core/updates_testing:
Steps to Reproduce:
Testing complete mga3 64
After installing the update, on the next visit it asks to perform the update, then checks the plugins. Scrolling to the bottom and clicking to continue does so without error and all is well after it completes.
MGA3TOO has_procedure =>
MGA3TOO has_procedure mga3-64-ok
Sorry it was mga3 32 above.
MGA3TOO has_procedure mga3-64-ok =>
MGA3TOO has_procedure mga3-32-ok
Testing complete mga3 64
Installed and updated but this time performed the installation with the testing version.
MGA3TOO has_procedure mga3-32-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing MGA4 64-bit real hardware.
The big update went fine; but I have forgotten the admin username & password, so might have to re-install it to actually try it. Grrr.
Re-installed [from Updates Testing] moodle-2.6.3-1.mga4. You need to:
- Create a MySQL/MariaDB database with:
CREATE DATABASE moodle DEFAULT CHARACTER SET UTF8 COLLATE utf8_unicode_ci;
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,CREATE TEMPORARY TABLES,DROP,INDEX,ALTER ON moodle.* TO moodleuser@localhost IDENTIFIED BY 'yourpassword';
with your choice of 'moodleuser' & 'yourpassword'. Note them both!
- Update /var/www/moodle/config.php
dbuser & dbpass with the MySQL/MariaDB user & password for the 'moodle' database.
To then launch Moodle on your local machine:
The first time demands the administrator username (default 'admin') and very complicated password; be sure to note these permanently!
Very basic testing, setting the system up to the point of defining a naked course all seemed to work fine.
MGA3TOO has_procedure mga3-32-ok mga3-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK
Well done Lewis.
Testing complete mga4 32 too
It's missing an advisory though David please.
MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK
Thanks everyone. I expect to have an advisory tomorrow.
Details on the issues fixed in this round of Moodle updates were released:
Updated moodle package fixes security vulnerabilities:
In Moodle before 2.6.3, Session checking was not being performed correctly
in Assignment's quick-grading, allowing forged requests to be made
unknowingly by authenticated users (CVE-2014-0213).
In Moodle before 2.6.3, MoodleMobile web service tokens, created
automatically in login/token.php, were not expiring and were valid forever
In Moodle before 2.6.3, Some student details, including identities, were
included in assignment marking pages and would have been revealed to
screen readers or through code inspection (CVE-2014-0215).
In Moodle before 2.6.3, Access to files linked on HTML blocks on the My
home page was not being checked in the correct context, allowing access to
unauthenticated users (CVE-2014-0216).
In Moodle before 2.6.3, There was a lack of filtering in the URL
downloader repository that could have been exploited for XSS
The 2.4 branch of Moodle will no longer be supported as of approximately
June 2014, so the Moodle package has been upgraded to version 2.6.3 to fix
Thanks David, advisory uploaded.
Could sysadmin please push to 3 & 4 updates
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK =>
MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OKCC: