Upstream has released new versions on July 14: https://moodle.org/mod/forum/discuss.php?d=263858 Details on the security issues fixed are not yet available, but likely will be next week (probably Monday) on the release notes pages: http://docs.moodle.org/dev/Moodle_2.6.4_release_notes Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. I'll write an advisory once the details are available. Updated packages in core/updates_testing: ======================== moodle-2.6.4-1.mga3 moodle-2.6.4-1.mga4 from SRPMS: moodle-2.6.4-1.mga3.src.rpm moodle-2.6.4-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Version: Cauldron => 4Whiteboard: (none) => MGA3TOO
Working fine on our production Moodle server at work (Mageia 4 i586). I even tried switching back to php-opcache as I had had problems with it before, but one of our recent PHP updates must have fixed that too. Nice!
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK
On MGA4-64 I was able to install Moodle and get a basic site up and running, then upgraded and went through the db upgrade with no issue. I don't have a pre-built site but those options I tried worked.
CC: (none) => dpremyWhiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK
Details on the issues fixed in this round of Moodle updates were released: http://www.openwall.com/lists/oss-security/2014/07/21/2 Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.4, serialised data passed by repositories could potentially contain objects defined by add-ons that could include executable code (CVE-2014-3541). In Moodle before 2.6.4, it was possible for manipulated XML files passed from LTI servers to be interpreted by Moodle to allow access to server-side files (CVE-2014-3542). In Moodle before 2.6.4, it was possible for manipulated XML files to be uploaded to the IMSCC course format or the IMSCP resource to allow access to server-side files (CVE-2014-3543). In Moodle before 2.6.4, filtering of the Skype profile field was not removing potentially harmful code (CVE-2014-3544). In Moodle before 2.6.4, it was possible to inject code into Calculated questions that would be executed on the server (CVE-2014-3545). In Moodle before 2.6.4, it was possible to get limited user information, such as user name and courses, by manipulating the URL of profile and notes pages (CVE-2014-3546). In Moodle before 2.6.4, the details of badges from external sources were not being filtered (CVE-2014-3547). In Moodle before 2.6.4, content of exception dialogues presented from AJAX calls was not being escaped before being presented to users (CVE-2014-3548). In Moodle before 2.6.4, fields in rubrics were not being correctly filtered (CVE-2014-3551). In Moodle before 2.6.4, forum was allowing users who were members of more than one group to post to all groups without the capability to access all groups (CVE-2014-3553). The moodle package has been updated to version 2.6.4, to fix these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3542 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3553 https://moodle.org/mod/forum/discuss.php?d=264262 https://moodle.org/mod/forum/discuss.php?d=264263 https://moodle.org/mod/forum/discuss.php?d=264264 https://moodle.org/mod/forum/discuss.php?d=264265 https://moodle.org/mod/forum/discuss.php?d=264266 https://moodle.org/mod/forum/discuss.php?d=264267 https://moodle.org/mod/forum/discuss.php?d=264268 https://moodle.org/mod/forum/discuss.php?d=264269 https://moodle.org/mod/forum/discuss.php?d=264270 https://moodle.org/mod/forum/discuss.php?d=264273 http://docs.moodle.org/dev/Moodle_2.6.4_release_notes
Advisory uploaded. This still needs to be tested on mga3 before it can be validated.
CC: (none) => remiWhiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK advisory
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK advisory => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK advisory
Fedora has issued an advisory for this on July 22: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/136159.html
URL: (none) => http://lwn.net/Vulnerabilities/607135/
Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 Please push this to core/updates for Mageia 3 and Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Made sure it installs in Mageia 3 32bit.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK advisory => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK advisory
Update pushed. http://advisories.mageia.org/MGASA-2014-0308.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED