Upstream has released new versions on July 6: https://moodle.org/mod/forum/discuss.php?d=316289 The security issues have been made public today (July 13): http://www.openwall.com/lists/oss-security/2015/07/13/2 The Moodle 2.8.7 release notes are here: https://docs.moodle.org/dev/Moodle_2.8.7_release_notes Moodle 2.6 is no longer supported. Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.8.7, phishing is possible when redirecting to external site using referer headers in error messages (CVE-2015-3272). In Moodle before 2.8.7, several web services returning user information did not clean text in text custom profile fields, leading to possible XSS (CVE-2015-3274). In Moodle before 2.8.7, possible Javascript injection was discovered in the SCORM module (CVE-2015-3275). As Moodle 2.6 is no longer supported, users of this package on Mageia 4 are advised to migrate to Mageia 5. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3275 https://moodle.org/mod/forum/discuss.php?d=316662 https://moodle.org/mod/forum/discuss.php?d=316664 https://moodle.org/mod/forum/discuss.php?d=316665 https://docs.moodle.org/dev/Moodle_2.8.7_release_notes https://moodle.org/mod/forum/discuss.php?d=316289 ======================== Updated packages in core/updates_testing: ======================== moodle-2.8.7-1.mga5 from moodle-2.8.7-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
Going to give this a go for mga5 x86_64. Installed phpmyadmin and moodle. Enabled core updates testing and installed the update candidate. Checking out Claire's procedure now.
CC: (none) => tarazed25
Sorry; David's procedure.
This is all foreign country to me but got as far as creating the database and user and failed like Claire in the browser. systemctl restart httpd did the trick - have the start page in the browser right now. Have to take a break.
Pased minimum system requirements, then successful checks on a huge number of parameters/properties/attributes(?). Created user and assigned him my email address. Could not get past the last page because it wanted a site name and I did not have a clue what it was talking about.
Supplied a random name and an abbreviation and proceeded to site administration. Should I register? (in order to get feedback - like a welcome email) And is this all that is required to test the update?
It sounds like you've sufficiently tested it
Right then. Shall keep the database settings but ignore site registration. Marking this OK.
And thanks for the detailed procedure. That streamlined the whole thing.
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
Yeah, you don't want to do site registration, that's for public Moodle sites
Well done Len. Noarch. Validating. Please push to 5 updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0302.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/653503/