Upstream has released new versions on January 11: https://moodle.org/mod/forum/discuss.php?d=325820 https://docs.moodle.org/dev/Moodle_2.8.10_release_notes Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.8.10, web services core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info did not check user permission to access hidden courses (CVE-2016-0724). In Moodle before 2.8.10, search string in course management interface was not escaped when being output creating potential for XSS attack (CVE-2016-0725). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0725 https://moodle.org/mod/forum/discuss.php?d=326205 https://moodle.org/mod/forum/discuss.php?d=326206 https://docs.moodle.org/dev/Moodle_2.8.10_release_notes https://moodle.org/mod/forum/discuss.php?d=325820 ======================== Updated packages in core/updates_testing: ======================== moodle-2.8.10-1.mga5 from moodle-2.8.10-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
Working fine on our production LMS at work, Mageia 5 i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0029.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/672824/