Updated moodle package fixes security vulnerabilities
Publication date: 11 Feb 2014Modification date: 09 Jul 2015
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0008 , CVE-2014-0009 , CVE-2014-0010
Description
Updated moodle package fixes security vulnerabilities: In Moodle before 2.4.8, some password changes on admin pages were being recorded and shown to administrators in the config log report (CVE-2014-0008). In Moodle before 2.4.8, users were able to log in as a user who in a is not in the same group without the permission to see all groups (CVE-2014-0009). In Moodle 2.4.8, custom profile fields and categories were open to deletion without proper session checking, due to two Cross-site Request Forgery(CSRF) vulnerabilities in /user/profile/index.php (CVE-2014-0010).
References
- https://bugs.mageia.org/show_bug.cgi?id=12385
- https://moodle.org/mod/forum/discuss.php?d=252414
- https://moodle.org/mod/forum/discuss.php?d=252415
- https://moodle.org/mod/forum/discuss.php?d=252416
- http://docs.moodle.org/dev/Moodle_2.4.8_release_notes
- https://moodle.org/mod/forum/discuss.php?d=251856
- https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0008
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0009
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0010
SRPMS
3/core
- moodle-2.4.8-1.mga3
4/core
- moodle-2.4.8-1.mga4