Upstream has released new versions on February 2: https://moodle.org/mod/forum/discuss.php?d=279502 The security issue was made public today (February 9): http://openwall.com/lists/oss-security/2015/02/09/2 A CVE was requested on oss-security for the security issue before the Moodle notification was made public, so there's a duplicate CVE for this issue: http://openwall.com/lists/oss-security/2015/02/09/5 MITRE decided to use the one they had issued on the list, rather than the one Moodle privately had. Hence, the CVE in our advisory doesn't currently match the upstream one. We'll change this if there's an objection to it from upstream. Freeze push requested for Cauldron. Updated package uploaded for Mageia 4. Advisory: ======================== Updated moodle package fixes security vulnerability: In Moodle before 2.6.8, parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS's are affected, but especially vulnerable are Windows servers (CVE-2015-1493). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1493 https://moodle.org/mod/forum/discuss.php?d=279956 https://docs.moodle.org/dev/Moodle_2.6.8_release_notes https://moodle.org/mod/forum/discuss.php?d=279502 http://openwall.com/lists/oss-security/2015/02/09/5 ======================== Updated packages in core/updates_testing: ======================== moodle-2.6.8-1.mga4 from moodle-2.6.8-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
Working fine on our production Moodle server at work, Mageia 4 i586.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Testing complete mga4 64
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0057.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/632710/