Upstream has released new versions on January 12: https://moodle.org/mod/forum/discuss.php?d=278176 The security issues were made public today (January 19): http://openwall.com/lists/oss-security/2015/01/19/1 Freeze push requested for Cauldron. Updated package uploaded for Mageia 4. Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.7, absence of a capability check in AJAX backend script in the LTI module could allow any enrolled user to search the list of registered tools (CVE-2015-0211). In Moodle before 2.6.7, the course summary on course request pending approval page was displayed to the manager unescaped and could be used for XSS attack (CVE-2015-0212). In Moodle before 2.6.7, two files in the Glossary module lacked a session key check potentially allowing cross-site request forgery (CVE-2015-0213). In Moodle before 2.6.7, through web-services it was possible to access messaging-related functions such as people search even if messaging is disabled on the site (CVE-2015-0214). In Moodle before 2.6.7, through web-services it was possible to get information about calendar events which user did not have enough permissions to see (CVE-2015-0215). In Moodle before 2.6.7, non-optimal regular expression in the multimedia filter could be exploited to create extra server load or make particular page unavailable, resulting in a denial of service (CVE-2015-0217). In Moodle before 2.6.7, it was possible to forge a request to logout users even when not authenticated through Shibboleth (CVE-2015-0218). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0211 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0212 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0213 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0214 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0215 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0217 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0218 https://moodle.org/mod/forum/discuss.php?d=278611 https://moodle.org/mod/forum/discuss.php?d=278612 https://moodle.org/mod/forum/discuss.php?d=278613 https://moodle.org/mod/forum/discuss.php?d=278614 https://moodle.org/mod/forum/discuss.php?d=278615 https://moodle.org/mod/forum/discuss.php?d=278617 https://moodle.org/mod/forum/discuss.php?d=278618 https://docs.moodle.org/dev/Moodle_2.6.7_release_notes https://moodle.org/mod/forum/discuss.php?d=278176 ======================== Updated packages in core/updates_testing: ======================== moodle-2.6.7-1.mga3 moodle-2.6.7-1.mga4 from SRPMS: moodle-2.6.7-1.mga3.src.rpm moodle-2.6.7-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
Testing on Mageia4x64 real hardware following procedure mentioned in Comment 1 From current package : -------------------- moodle-2.6.6-1.mga4 (don't know why, in MCC, latest version shown was moodle-2.6.3-1.mga4, had to urpmi to get this version) After creating database with mysqld commands, proceeded to install moodle. Once installed, could create a new course, log in and out, upload a file, backup, restore ... All OK To updated testing package : -------------------------- moodle-2.6.7-1.mga4 Went to : http://localhost/moodle which showed : Upgrading Moodle database from version 2.6.6 (Build: 20141110) (2013111806.00) to 2.6.7 (Build: 20150112) (2013111807.00) Proceeded to upgrade. Could connect back to previous course, make some changes, log in an out, backup, restore... Dropped moodle database and user Recreated moodle database from scratch and performed a new installation Created a new course. All ok
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
Working fine on our production Moodle server at work, Mageia 4 i586.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded (minus mga3 package) Please push to 4 updates Thanks
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0032.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/630070/