Updated moodle package fixes security vulnerabilities
Publication date: 03 Aug 2015Modification date: 03 Aug 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-3272 , CVE-2015-3274 , CVE-2015-3275
Description
In Moodle before 2.8.7, phishing is possible when redirecting to external
site using referer headers in error messages (CVE-2015-3272).
In Moodle before 2.8.7, several web services returning user information
did not clean text in text custom profile fields, leading to possible XSS
(CVE-2015-3274).
In Moodle before 2.8.7, possible Javascript injection was discovered in
the SCORM module (CVE-2015-3275).
As Moodle 2.6 is no longer supported, users of this package on Mageia 4
are advised to migrate to Mageia 5.
References
- https://bugs.mageia.org/show_bug.cgi?id=16374
- https://moodle.org/mod/forum/discuss.php?d=316662
- https://moodle.org/mod/forum/discuss.php?d=316664
- https://moodle.org/mod/forum/discuss.php?d=316665
- https://docs.moodle.org/dev/Moodle_2.8.7_release_notes
- https://moodle.org/mod/forum/discuss.php?d=316289
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3272
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3274
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3275
SRPMS
5/core
- moodle-2.8.7-1.mga5