Upstream has released new versions on March 10: https://moodle.org/mod/forum/discuss.php?d=305077 The security issues were made public today (March 16): http://openwall.com/lists/oss-security/2015/03/16/1 Freeze push requested for Cauldron. Updated package uploaded for Mageia 4. Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.9, by modifying URL a logged in user can view the list of another user's contacts, number of unread messages and list of their courses (CVE-2015-2266). In Moodle before 2.6.9, authentication in mdeploy can be bypassed. It is theoretically possible to extract files anywhere on the system where the web server has write access. The attacking user must know details about the system and already have significant permissions on the site (CVE-2015-2267). In Moodle before 2.6.9, a non-optimal regular expression in the "Convert links to URLs" filter could be exploited to create extra server load or make particular pages unavailable (CVE-2015-2268). In Moodle before 2.6.9, it is possible to create HTML injection through blocks with configurable titles, however this could only be exploited by users who are already marked as XSS-trusted (CVE-2015-2269). In Moodle before 2.6.9, for the custom themes that use blocks regions in the base layout the blocks for inaccessible courses could be displayed together with sensitive course-related information. Most of the themes, including all standard Moodle themes, are not affected (CVE-2015-2270). In Moodle before 2.6.9, users without proper permission are able to mark tags as inappropriate. Since this capability is given to authenticated users by default, this is not an issue for most sites (CVE-2015-2271). In Moodle before 2.6.9, even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services (CVE-2015-2272). In Moodle before 2.6.9, Quiz statistics report did not properly escape student responses and could be used for XSS attack (CVE-2015-2273). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2266 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2267 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2268 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2270 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2273 https://moodle.org/mod/forum/discuss.php?d=307380 https://moodle.org/mod/forum/discuss.php?d=307381 https://moodle.org/mod/forum/discuss.php?d=307382 https://moodle.org/mod/forum/discuss.php?d=307383 https://moodle.org/mod/forum/discuss.php?d=307384 https://moodle.org/mod/forum/discuss.php?d=307385 https://moodle.org/mod/forum/discuss.php?d=307386 https://moodle.org/mod/forum/discuss.php?d=307387 https://docs.moodle.org/dev/Moodle_2.6.10_release_notes https://moodle.org/mod/forum/discuss.php?d=305077 ======================== Updated packages in core/updates_testing: ======================== moodle-2.6.10-1.mga4 from moodle-2.6.10-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
Working fine on our production Moodle server at work, Mageia 4 i586.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Testing complete mga4 64, database upgrades itself and login proceeds.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0110.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/637288/