Upstream has released new versions today (May 11): https://moodle.org/mod/forum/discuss.php?d=313322 The security details will be made public in a week. The 2.6.11 release notes will be here: https://docs.moodle.org/dev/Moodle_2.6.11_release_notes Freeze push requested for Cauldron. Updated package uploaded for Mageia 4. Advisory to come later. Updated packages in core/updates_testing: ======================== moodle-2.6.11-1.mga4 from moodle-2.6.11-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
Working fine on our production Moodle server, Mageia 4 i586.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Testing complete mga4 64
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok
Need an advisory David please.
Waiting on upstream for more details so adding feedback marker for now.
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure feedback MGA4-32-OK mga4-64-ok
Details have been published: http://openwall.com/lists/oss-security/2015/05/18/1 This can be validated now. Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.11, leaving gradebook feedback is a trusted action and such capabilities in other modules already have an XSS mask, 'mod/quiz:grade' was missing this flag (CVE-2015-3174). In Moodle before 2.6.11, some error messages display a button to return to the previous page. Redirecting to non-local referer should not be allowed as it can potentially be used for phising (CVE-2015-3175). In Moodle before 2.6.11, on sites with enabled self-registration, not registered users can retrieve fullname of registered users if they know their usernames (CVE-2015-3176). In Moodle before 2.6.11, if a user who is not XSS-trusted attempts to insert a script as part of the input text, it will be cleaned when displayed on the Moodle website but may be displayed uncleaned in the external application because external_format_text() cleans and formats text incorrectly when returning it from Web Services (CVE-2015-3178). In Moodle before 2.6.11, when self-registration is enabled and a user's account was suspended after creating the account but before actually confirming it, the user is still able to login when confirming their email, but only once (CVE-2015-3179). In Moodle before 2.6.11, if a user is enrolled in the course but his enrollment is suspended, they can not access the course but still were able to see the course structure in the navigation block (CVE-2015-3180). In Moodle before 2.6.11, users with the revoked capability 'moodle/user:manageownfiles' are still able to upload private files using a deprecated function in Web Services (CVE-2015-3181). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3174 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3176 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3178 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3180 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3181 https://moodle.org/mod/forum/discuss.php?d=313681 https://moodle.org/mod/forum/discuss.php?d=313682 https://moodle.org/mod/forum/discuss.php?d=313683 https://moodle.org/mod/forum/discuss.php?d=313685 https://moodle.org/mod/forum/discuss.php?d=313686 https://moodle.org/mod/forum/discuss.php?d=313687 https://moodle.org/mod/forum/discuss.php?d=313688 https://docs.moodle.org/dev/Moodle_2.6.11_release_notes https://moodle.org/mod/forum/discuss.php?d=313322
Whiteboard: has_procedure feedback MGA4-32-OK mga4-64-ok => has_procedure MGA4-32-OK mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0229.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/645052/