Upstream has released new versions on March 14: https://moodle.org/mod/forum/discuss.php?d=329783 https://docs.moodle.org/dev/Moodle_2.8.11_release_notes Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.8.11, teachers who otherwise were not supposed to see students' emails could see them in the participants list (CVE-2016-2151). In Moodle before 2.8.11, Moodle traditionally trusted content from external DB, however it was decided that external datasources may not be aware of web security practices and data could cause problems after importing to Moodle (CVE-2016-2152). In Moodle before 2.8.11, a user with higher permissions could be tricked into clicking a link which would result in Reflected XSS in mod_data advanced search (CVE-2016-2153). In Moodle before 2.8.11, users without capability to view hidden courses but with capability to subscribe to Event Monitor rules could see the names of hidden courses (CVE-2016-2154). In Moodle before 2.8.11, the Non-Editing Instructor role can edit the exclude checkbox in the Single View grade report (CVE-2016-2155). In Moodle before 2.8.11, users without the capability to view hidden acitivites could still see associated calendar events via web services, via the external function get_calendar_events (CVE-2016-2156). In Moodle before 2.8.11, CSRF is possible on the Assignment plugin admin page, however an exploit is unlikely to benefit anybody and can easily be reversed (CVE-2016-2157). In Moodle before 2.8.11, enumeration of course category details is possible without authentication (CVE-2016-2158). In Moodle before 2.8.11, students were able to add assignment submissions after the due date through web service, via the external function mod_assign_save_submission (CVE-2016-2159). In Moodle before 2.8.11, when following external links that were added with the _blank target, a referer header would be added (CVE-2016-2190). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2151 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2152 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2153 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2154 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2155 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2156 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2157 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2158 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2159 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2190 https://moodle.org/mod/forum/discuss.php?d=330173 https://moodle.org/mod/forum/discuss.php?d=330174 https://moodle.org/mod/forum/discuss.php?d=330175 https://moodle.org/mod/forum/discuss.php?d=330176 https://moodle.org/mod/forum/discuss.php?d=330177 https://moodle.org/mod/forum/discuss.php?d=330178 https://moodle.org/mod/forum/discuss.php?d=330179 https://moodle.org/mod/forum/discuss.php?d=330180 https://moodle.org/mod/forum/discuss.php?d=330181 https://moodle.org/mod/forum/discuss.php?d=330182 https://docs.moodle.org/dev/Moodle_2.8.11_release_notes https://moodle.org/mod/forum/discuss.php?d=329783 ======================== Updated packages in core/updates_testing: ======================== moodle-2.8.11-1.mga5 from moodle-2.8.11-1.mga5.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
Working fine on our production LMS at work, Mageia 5 i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Validating. Advisory todo.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0122.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/681393/