Moodle upstream has released upstream 2.4.4, 2.3.7, and 2.2.10 versions: http://docs.moodle.org/dev/Moodle_2.2.10_release_notes http://docs.moodle.org/dev/Moodle_2.3.7_release_notes http://docs.moodle.org/dev/Moodle_2.4.4_release_notes These releases contain unspecified security fixes, the nature of which will be public next week; as per the upstream announcements: "A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version."
Created moodle tracking bugs for this issue Affects: fedora-all [bug 964322] Affects: epel-all [bug 964324]
Further issue details (http://www.openwall.com/lists/oss-security/2013/05/21/1) are as follows: ======================================================================= MSA-13-0020: Capability issue in Assignment Description: The assignment module was not checking capabilities for users downloading all assignments as a zip. Issue summary: Students can download assignments submitted by other students Severity/Risk: Serious Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6 Versions fixed: 2.5, 2.4.4 and 2.3.7 Reported by: Phillip Franks Issue no.: MDL-38443 CVE Identifier: CVE-2013-2079 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443 ======================================================================= MSA-13-0021: Potential information leak in Gradebook Description: The Gradebook's Overview report was showing grade totals that may have incorrectly included hidden grades. Issue summary: The method for figuring out showtotalsifcontainhidden on the overview report is flawed Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, earlier unsupported versions Versions fixed: 2.5, 2.4.4 and 2.3.7 Reported by: Andrew Davis Issue no.: MDL-37475 CVE Identifier: CVE-2013-2080 Workaround: Ensure all courses have the same value for hiding grades in the gradebook. This is set at Administration > Grades > Course grade settings > Hide totals if they contain hidden items Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475 ======================================================================= MSA-13-0022: Information leak in hub registration Description: When registering a site on a hub (not Moodle.net) site information was being sent to the hub regardless of settings chosen. Issue summary: Moodle send site information to a hub even though it's unchecked Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: J�r�me Mouneyrac Issue no.: MDL-37822 CVE Identifier: CVE-2013-2081 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822 ======================================================================= MSA-13-0023: Permission issue in blog comments Description: There was no check of permissions for viewing comments on blog posts. Issue summary: Blog comment validation should verify that the user can view a post. Severity/Risk: Serious Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: Dan Poltawski Issue no.: MDL-37245 CVE Identifier: CVE-2013-2082 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245 ======================================================================= MSA-13-0024: Form filtering issue Description: Form elements named using a specific naming scheme were not being filtered correctly Issue summary: Elements named foo[i] are not cleaned properly Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: Dan Poltawski Issue no.: MDL-38885 CVE Identifier: CVE-2013-2083 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885