Updated moodle packages fix CVE-2015-1493
Publication date: 09 Feb 2015Modification date: 09 Feb 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-1493
Description
Updated moodle package fixes security vulnerability:
In Moodle before 2.6.8, parameter "file" passed to scripts serving JS was not
always cleaned from including "../" in the path, allowing to read files
located outside of moodle directory. All OS's are affected, but especially
vulnerable are Windows servers (CVE-2015-1493).
References
- https://bugs.mageia.org/show_bug.cgi?id=15244
- https://moodle.org/mod/forum/discuss.php?d=279956
- https://docs.moodle.org/dev/Moodle_2.6.8_release_notes
- https://moodle.org/mod/forum/discuss.php?d=279502
- http://openwall.com/lists/oss-security/2015/02/09/5
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1493
SRPMS
4/core
- moodle-2.6.8-1.mga4