Upstream has released new versions on November 9: https://moodle.org/mod/forum/discuss.php?d=322852 https://docs.moodle.org/dev/Moodle_2.8.9_release_notes Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.8.9, if guest access is open on the site, unauthenticated users can store Atto draft data through the editor autosave area, which could be exploited in a denial of service attack (CVE-2015-5332). In Moodle before 2.8.9, due to a CSRF issue in the site registration form, it is possible to trick a site admin into sending aggregate stats to an arbitrary domain. The attacker can send the admin a link to a site registration form that will display the correct URL but, if submitted, will register with another hub (CVE-2015-5335). In Moodle before 2.8.9, the standard survey module is vulnerable to XSS attack by students who fill the survey (CVE-2015-5336). In Moodle before 2.8.9, there was a reflected XSS vulnerability in the Flowplayer flash video player (CVE-2015-5337). In Moodle before 2.8.9, password-protected lesson modules are subject to a CSRF vulnerability in the lesson login form (CVE-2015-5338). In Moodle before 2.8.9, through web service core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site (CVE-2015-5339). In Moodle before 2.8.9, logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges (CVE-2015-5340). In Moodle before 2.8.9, the SCORM module allows to bypass access restrictions based on date and lets users view the SCORM contents (CVE-2015-5341). In Moodle before 2.8.9, the choice module closing date can be bypassed, allowing users to delete or submit new responses after the choice module was closed (CVE-2015-5342). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5332 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5335 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5336 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5337 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5338 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5339 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5340 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5341 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5342 https://moodle.org/mod/forum/discuss.php?d=323229 https://moodle.org/mod/forum/discuss.php?d=323230 https://moodle.org/mod/forum/discuss.php?d=323231 https://moodle.org/mod/forum/discuss.php?d=323232 https://moodle.org/mod/forum/discuss.php?d=323233 https://moodle.org/mod/forum/discuss.php?d=323234 https://moodle.org/mod/forum/discuss.php?d=323235 https://moodle.org/mod/forum/discuss.php?d=323236 https://moodle.org/mod/forum/discuss.php?d=323237 https://docs.moodle.org/dev/Moodle_2.8.9_release_notes https://moodle.org/mod/forum/discuss.php?d=322852 ======================== Updated packages in core/updates_testing: ======================== moodle-2.8.9-1.mga5 from moodle-2.8.9-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
Working fine on our production Moodle server at work, Mageia 5 i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: moodle default install of moodle [root@localhost wilcal]# urpmi moodle Package moodle-2.8.8-1.mga5.noarch is already installed To get this up and running simplest way: urpmi mariadb systemctl enable mysqld.service systemctl start mysqld.service mysql -u root mysql> create database moodle; mysql> create user 'moodle'@'localhost' identified by '<test>'; mysql> grant all on moodle.* to 'moodle'@'localhost'; mysql> ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci; mysql> exit; Then in an su - terminal kwrite /var/www/moodle/config.php and in the empty single quotes for dbuser and dbpass, put 'moodle' for dbuser ( line 11 ), and the password 'test' ( line 12 ) used to create user mysql command in for dbpass. All went as expected. stop then restart mysqld Then browse to http://localhost/moodle to complete the setup. "Unable to connect" on Firefox browser. http://localhost/~wilcal/ works fine on the same browser. I still get this. Hints?
CC: (none) => wilcal.int
I think that means unable to connect to the database. If your commands were exactly what you typed, when you created the user in mysql, it should have been "identified by 'test';" without the <>. (Or perhaps you could put the password as <test> in config.php, that might work too).
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0464.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/666962/