Upstream has released new versions on May 9: https://moodle.org/mod/forum/discuss.php?d=332775 https://docs.moodle.org/dev/Moodle_2.8.12_release_notes Updated packages uploaded for Mageia 5 and Cauldron. The advisory will be available on Monday, May 16th, so we're just testing for now. 2.8.12 is the final release in the 2.8 branch, and this will likely be the last update for this package. Updated packages in core/updates_testing: ======================== moodle-2.8.12-1.mga5 from moodle-2.8.12-1.mga5.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Whiteboard: (none) => has_procedure
Working fine on our production Moodle server at work, Mageia 5 i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Testing M5 x64 real hardware, PostgreSQL Re-installed Moodle with Postgres from scratch. https://docs.moodle.org/30/en/PostgreSQL $ psql -U postgres Password for user postgres: Create the user for the Moodle database and assign a password: postgres=# CREATE USER <moodleuser> WITH PASSWORD '<yourpassword>'; Create the database: postgres=# CREATE DATABASE moodle WITH OWNER <moodleuser>; Edited /var/www/moodle/config.php : $CFG->dbtype = 'pgsql'; $CFG->dbname = 'moodle'; $CFG->dbuser = '<moodleDBuser>'; $CFG->dbpass = '<DBuserpassword>'; http://localhost/moodle then leads to a *very long* verification & setup sequence. Note well the Moodle admin username & rigorous password you define! Played minimally, upgraded without problems to: moodle-2.8.12-1.mga5 http://localhost/moodle displayed immediately the default site page; but loging in as admin yields another *long* verification:confirmation process. At the end of which, the system works OK. (Well, I did get a pop-up JSON error when trying inexpertly to add a lesson to a course; ignoring that).
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory: ======================== Updated moodle package fixes security vulnerabilities: In Moodle before 2.8.12, users are able to change profile fields that were locked by the administrator (CVE-2016-3729). In Moodle before 2.8.12, names of hidden forums or discussions could be disclosed as part of the error message on the subscription page (CVE-2016-3731). In Moodle before 2.8.12, users can view badges of other users without proper permissions (CVE-2016-3732). In Moodle before 2.8.12, during the course restore, teachers could overwrite the idnumber even without having the capability to change it (CVE-2016-3733). In Moodle before 2.8.12, possible CSRF in the URL that marks forum posts as read (CVE-2016-3734). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3729 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3731 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3732 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3733 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3734 https://moodle.org/mod/forum/discuss.php?d=333186 https://moodle.org/mod/forum/discuss.php?d=333189 https://moodle.org/mod/forum/discuss.php?d=333190 https://moodle.org/mod/forum/discuss.php?d=333191 https://moodle.org/mod/forum/discuss.php?d=333192 https://docs.moodle.org/dev/Moodle_2.8.12_release_notes https://moodle.org/mod/forum/discuss.php?d=332775
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0180.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/688054/