Upstream has released new versions on September 14: https://moodle.org/mod/forum/discuss.php?d=319884 The security issues fixed will be listed here next week: https://docs.moodle.org/dev/Moodle_2.8.8_release_notes I'm also adding another question type and theme in this release: https://moodle.org/plugins/view/qtype_oumultiresponse https://moodle.org/plugins/view/theme_uikit The preg question type needs to be updated too: https://bitbucket.org/oasychev/moodle-plugins/downloads Testing locally I'm having some problems with the db update. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
(In reply to David Walser from comment #0) > Testing locally I'm having some problems with the db update. The problems came from duplicate definitions in the updated preg plugin. I figured out the fix locally by removing the duplicate definitions. I also reported it upstream and a fixed archive should be available soon.
CC: (none) => mageiaHardware: i586 => AllAssignee: bugsquad => luigiwalser
Security and CVE information: http://openwall.com/lists/oss-security/2015/09/21/1
Updated packages uploaded for Mageia 5 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3 Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.8.8, completed and graded lesson activity was not protected against making new attempts to answer some questions, so students could re-attempt answering questions in the lesson (CVE-2015-5264). In Moodle before 2.8.8, users could delete files uploaded by other users in wiki (CVE-2015-5265). In Moodle before 2.8.8, meta course synchronisation enrols suspended students as managers for a short period of time and causes large database growth. On large installations, when the sync script takes a long time, suspended students may get assigned a manager role in meta course for several minutes (CVE-2015-5266) In Moodle before 2.8.8, password recovery tokens can be guessed because of php randomisation limitations (CVE-2015-5267). In Moodle before 2.8.8, when viewing ratings, the group access was not properly checked, allowing users from other groups to view ratings (CVE-2015-5268). In Moodle before 2.8.8, capability to manage groups does not have XSS risk, however it was possible to add XSS to the grouping description (CVE-2015-5269). The moodle package has been updated to version 2.8.8, fixing these issues and several other bugs. Additionally, the preg plugin has been updated to version 2.8, and the OU Multiple Response question type and UIkit theme have been added to the package. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5266 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5267 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5268 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5269 https://moodle.org/mod/forum/discuss.php?d=320287 https://moodle.org/mod/forum/discuss.php?d=320289 https://moodle.org/mod/forum/discuss.php?d=320290 https://moodle.org/mod/forum/discuss.php?d=320291 https://moodle.org/mod/forum/discuss.php?d=320292 https://moodle.org/mod/forum/discuss.php?d=320293 https://docs.moodle.org/dev/Moodle_2.8.8_release_notes https://moodle.org/mod/forum/discuss.php?d=319884 https://bitbucket.org/oasychev/moodle-plugins/ https://moodle.org/plugins/view/qtype_oumultiresponse https://moodle.org/plugins/view/theme_uikit ======================== Updated packages in core/updates_testing: ======================== moodle-2.8.8-1.mga5 from moodle-2.8.8-1.mga5.src.rpm
Version: Cauldron => 5Assignee: luigiwalser => qa-bugsWhiteboard: MGA5TOO => has_procedureSeverity: normal => major
In VirtualBox, M5, KDE, 32-bit Package(s) under test: moodle default install of moodle [root@localhost wilcal]# urpmi moodle Package moodle-2.8.7-1.mga5.noarch is already installed To get this up and running simplest way: urpmi mariadb systemctl enable mysqld.service systemctl start mysqld.service mysql -u root mysql> create database moodle; mysql> create user 'moodle'@'localhost' identified by '<test>'; mysql> grant all on moodle.* to 'moodle'@'localhost'; mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci; mysql> exit; Then in an su - terminal kwrite /var/www/moodle/config.php and in the empty single quotes for dbuser and dbpass, put 'moodle' for dbuser ( line 11 ), and the password 'test' ( line 12 ) used to create user mysql command in for dbpass. All went as expected. Then browse to http://localhost/moodle to complete the setup. "Unable to connect" on Firefox browser. http://localhost/~wilcal/ works fine on the same browser. Hints?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #4) > Hints? Check your apache logs (in /var/log/httpd).
If testing from a computer other than the host you need to alter the config.php as shown here https://moodle.org/mod/forum/discuss.php?d=210399#p918831 to enable access from elsewhere. Getting this at the moment with the update, will try another mirror after some sleep. The following package has bad signature: /var/cache/urpmi/rpms/moodle-2.8.8-1.mga5.noarch.rpm: Medium without key (OK (RSA/SHA1, Mon 21 Sep 2015 19:26:33 BST, Key ID b742fa8b80420f66))
That was strange, had to use urpmi.update --force-key to add the gpg key for updates testing. Moodle update is OK anyway, if slightly unusual, with one new warning.. ------- unsupported_db_table_row_format if this test fails, it indicates a potential problem Your database has tables using Antelope as the file format. You are recommended to convert the tables to the Barracuda file format. See the documentation Administration via command line for details of a tool for converting InnoDB tables to Barracuda --------- On the database upgrade page where it lists plugins to be upgraded, just scroll to the bottom and click continue. This update adds new settings (and presumably modules) which are listed after the database upgrade completes for Formal Languages Block, Youtube, Regular Expression, graduation-cap in General Settings, Layout option, Custom Menu, Frontpage Slideshow, Login Page Settings, Frontpage Settings, Marketing Spots, Social Networking, Mobile Apps, Google Fonts & Google Analytics and Sticky navigation bar delay in Layout Options. It announces a new version is available after reviewing/saving these extra settings (Moodle 2.9.2+ (Build: 20150918) Version 2015051102.01 Stable version) Does it need a further update David?
(In reply to claire robinson from comment #7) > unsupported_db_table_row_format if this test fails, it indicates a > potential problem > > Your database has tables using Antelope as the file format. You are > recommended to convert the tables to the Barracuda file format. See the > documentation Administration via command line for details of a tool for > converting InnoDB tables to Barracuda This can be fixed with some mysql commands. I guess Moodle doesn't even try to do it itself (which I'd think it could if you don't have a password for root in mysql), and you can't do it right after you first create the database, you have to wait until after you've done the web installation so the tables are created. USE moodle; SET SESSION sql_mode=STRICT_ALL_TABLES; SET GLOBAL innodb_file_per_table=1; SET GLOBAL innodb_file_format=Barracuda; ALTER TABLE mdl_data ROW_FORMAT=Compressed; ALTER TABLE mdl_data_fields ROW_FORMAT=Compressed; ALTER TABLE mdl_enrol_paypal ROW_FORMAT=Compressed; ALTER TABLE mdl_lti ROW_FORMAT=Compressed; ALTER TABLE mdl_user ROW_FORMAT=Compressed; ALTER TABLE mdl_user_info_field ROW_FORMAT=Compressed; > It announces a new version is available after reviewing/saving these extra > settings (Moodle 2.9.2+ (Build: 20150918) Version 2015051102.01 Stable > version) > > Does it need a further update David? No, we're not switching to the 2.9 branch.
Adding the OK then. I'll validate later.
Whiteboard: has_procedure => has_procedure mga5-64-ok
Validating. Advisory uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0381.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/658310/