(In reply to David Walser from comment #0)
> Testing locally I'm having some problems with the db update.

The problems came from duplicate definitions in the updated preg plugin.  I figured out the fix locally by removing the duplicate definitions.  I also reported it upstream and a fixed archive should be available soon.

Security and CVE information:
http://openwall.com/lists/oss-security/2015/09/21/1

Updated packages uploaded for Mageia 5 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.8.8, completed and graded lesson activity was not
protected against making new attempts to answer some questions, so students
could re-attempt answering questions in the lesson (CVE-2015-5264).

In Moodle before 2.8.8, users could delete files uploaded by other users in
wiki (CVE-2015-5265).

In Moodle before 2.8.8, meta course synchronisation enrols suspended students
as managers for a short period of time and causes large database growth. On
large installations, when the sync script takes a long time, suspended
students may get assigned a manager role in meta course for several minutes
(CVE-2015-5266)

In Moodle before 2.8.8, password recovery tokens can be guessed because of
php randomisation limitations (CVE-2015-5267).

In Moodle before 2.8.8, when viewing ratings, the group access was not
properly checked, allowing users from other groups to view ratings
(CVE-2015-5268).

In Moodle before 2.8.8, capability to manage groups does not have XSS risk,
however it was possible to add XSS to the grouping description
(CVE-2015-5269).

The moodle package has been updated to version 2.8.8, fixing these issues and
several other bugs.

Additionally, the preg plugin has been updated to version 2.8, and the OU
Multiple Response question type and UIkit theme have been added to the
package.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5269
https://moodle.org/mod/forum/discuss.php?d=320287
https://moodle.org/mod/forum/discuss.php?d=320289
https://moodle.org/mod/forum/discuss.php?d=320290
https://moodle.org/mod/forum/discuss.php?d=320291
https://moodle.org/mod/forum/discuss.php?d=320292
https://moodle.org/mod/forum/discuss.php?d=320293
https://docs.moodle.org/dev/Moodle_2.8.8_release_notes
https://moodle.org/mod/forum/discuss.php?d=319884
https://bitbucket.org/oasychev/moodle-plugins/
https://moodle.org/plugins/view/qtype_oumultiresponse
https://moodle.org/plugins/view/theme_uikit
========================

Updated packages in core/updates_testing:
========================
moodle-2.8.8-1.mga5

from moodle-2.8.8-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: luigiwalser => qa-bugs
Whiteboard: MGA5TOO => has_procedure
Severity: normal => major

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
moodle

default install of moodle

[root@localhost wilcal]# urpmi moodle
Package moodle-2.8.7-1.mga5.noarch is already installed

To get this up and running simplest way:

urpmi mariadb
systemctl enable mysqld.service
systemctl start mysqld.service
mysql -u root 
mysql> create database moodle;
mysql> create user 'moodle'@'localhost' identified by '<test>';
mysql> grant all on moodle.* to 'moodle'@'localhost';
mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> exit;

Then in an su - terminal
kwrite /var/www/moodle/config.php
and in the empty single quotes for dbuser and dbpass, put 'moodle' for
dbuser ( line 11 ), and the password 'test' ( line 12 ) used to create
user mysql command in for dbpass.

All went as expected.

Then browse to http://localhost/moodle to complete the setup.
"Unable to connect" on Firefox browser.
http://localhost/~wilcal/ works fine on the same browser.

Hints?

CC: (none) => wilcal.int

(In reply to William Kenney from comment #4)
> Hints?

Check your apache logs (in /var/log/httpd).

If testing from a computer other than the host you need to alter the config.php as shown here https://moodle.org/mod/forum/discuss.php?d=210399#p918831 to enable access from elsewhere.

Getting this at the moment with the update, will try another mirror after some sleep.

The following package has bad signature:                                           
/var/cache/urpmi/rpms/moodle-2.8.8-1.mga5.noarch.rpm: Medium without key (OK (RSA/SHA1, Mon 21 Sep 2015 19:26:33 BST, Key ID b742fa8b80420f66))

That was strange, had to use urpmi.update --force-key to add the gpg key for updates testing.

Moodle update is OK anyway, if slightly unusual, with one new warning..
-------
unsupported_db_table_row_format 	if this test fails, it indicates a potential problem

Your database has tables using Antelope as the file format. You are recommended to convert the tables to the Barracuda file format. See the documentation Administration via command line for details of a tool for converting InnoDB tables to Barracuda
---------


On the database upgrade page where it lists plugins to be upgraded, just scroll to the bottom and click continue.

This update adds new settings (and presumably modules) which are listed after the database upgrade completes for Formal Languages Block, Youtube, Regular Expression, graduation-cap in General Settings, Layout option, Custom Menu, Frontpage Slideshow, Login Page Settings, Frontpage Settings, Marketing Spots, Social Networking, Mobile Apps, Google Fonts & Google Analytics and 
Sticky navigation bar delay in Layout Options.


It announces a new version is available after reviewing/saving these extra settings (Moodle 2.9.2+ (Build: 20150918) Version 2015051102.01 Stable version)

Does it need a further update David?

(In reply to claire robinson from comment #7)
> unsupported_db_table_row_format 	if this test fails, it indicates a
> potential problem
> 
> Your database has tables using Antelope as the file format. You are
> recommended to convert the tables to the Barracuda file format. See the
> documentation Administration via command line for details of a tool for
> converting InnoDB tables to Barracuda

This can be fixed with some mysql commands.  I guess Moodle doesn't even try to do it itself (which I'd think it could if you don't have a password for root in mysql), and you can't do it right after you first create the database, you have to wait until after you've done the web installation so the tables are created.

USE moodle;
SET SESSION sql_mode=STRICT_ALL_TABLES;
SET GLOBAL innodb_file_per_table=1;
SET GLOBAL innodb_file_format=Barracuda;
ALTER TABLE mdl_data ROW_FORMAT=Compressed;
ALTER TABLE mdl_data_fields ROW_FORMAT=Compressed;
ALTER TABLE mdl_enrol_paypal ROW_FORMAT=Compressed;
ALTER TABLE mdl_lti ROW_FORMAT=Compressed; 
ALTER TABLE mdl_user ROW_FORMAT=Compressed;
ALTER TABLE mdl_user_info_field ROW_FORMAT=Compressed;

> It announces a new version is available after reviewing/saving these extra
> settings (Moodle 2.9.2+ (Build: 20150918) Version 2015051102.01 Stable
> version)
> 
> Does it need a further update David?

No, we're not switching to the 2.9 branch.

Adding the OK then. I'll validate later.

Whiteboard: has_procedure => has_procedure mga5-64-ok

Validating. Advisory uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0381.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED