Updated moodle packages fix security vulnerabilities
Publication date: 18 May 2016Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3729 , CVE-2016-3731 , CVE-2016-3732 , CVE-2016-3733 , CVE-2016-3734
Description
Updated moodle package fixes security vulnerabilities:
In Moodle before 2.8.12, users are able to change profile fields that were
locked by the administrator (CVE-2016-3729).
In Moodle before 2.8.12, names of hidden forums or discussions could be
disclosed as part of the error message on the subscription page (CVE-2016-3731).
In Moodle before 2.8.12, users can view badges of other users without proper
permissions (CVE-2016-3732).
In Moodle before 2.8.12, during the course restore, teachers could overwrite
the idnumber even without having the capability to change it (CVE-2016-3733).
In Moodle before 2.8.12, possible CSRF in the URL that marks forum posts as
read (CVE-2016-3734).
References
- https://bugs.mageia.org/show_bug.cgi?id=18432
- https://moodle.org/mod/forum/discuss.php?d=333186
- https://moodle.org/mod/forum/discuss.php?d=333189
- https://moodle.org/mod/forum/discuss.php?d=333190
- https://moodle.org/mod/forum/discuss.php?d=333191
- https://moodle.org/mod/forum/discuss.php?d=333192
- https://docs.moodle.org/dev/Moodle_2.8.12_release_notes
- https://moodle.org/mod/forum/discuss.php?d=332775
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3729
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3731
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3732
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3733
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3734
SRPMS
5/core
- moodle-2.8.12-1.mga5