Mageia alert MGASA-2014-0053 (moodle)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2014-0053: Updated moodle package fixes security vulnerabilities | |
| Date: | Tue, 11 Feb 2014 23:34:45 +0100 | |
| Message-ID: | <20140211223445.213805C57D@valstar.mageia.org> |
MGASA-2014-0053 - Updated moodle package fixes security vulnerabilities Publication date: 11 Feb 2014 URL: http://advisories.mageia.org/MGASA-2014-0053.html Type: security Affected Mageia releases: 3, 4 CVE: CVE-2014-0008, CVE-2014-0009, CVE-2014-0010 Description: Updated moodle package fixes security vulnerabilities: In Moodle before 2.4.8, some password changes on admin pages were being recorded and shown to administrators in the config log report (CVE-2014-0008). In Moodle before 2.4.8, users were able to log in as a user who in a is not in the same group without the permission to see all groups (CVE-2014-0009). In Moodle 2.4.8, custom profile fields and categories were open to deletion without proper session checking, due to two Cross-site Request Forgery(CSRF) vulnerabilities in /user/profile/index.php (CVE-2014-0010). References: - https://bugs.mageia.org/show_bug.cgi?id=12385 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0008 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0009 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0010 - https://moodle.org/mod/forum/discuss.php?d=252414 - https://moodle.org/mod/forum/discuss.php?d=252415 - https://moodle.org/mod/forum/discuss.php?d=252416 - http://docs.moodle.org/dev/Moodle_2.4.8_release_notes - https://moodle.org/mod/forum/discuss.php?d=251856 - https://lists.fedoraproject.org/pipermail/package-announc... - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0008 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0009 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0010 SRPMS: - 4/core/moodle-2.4.8-1.mga4 - 3/core/moodle-2.4.8-1.mga3