Moodle 2.8.3, 2.7.5 y 2.6.8 están ahora disponibles (desbloqueo de emergencia)
Moodle 2.8.3, 2.7.5 and 2.6.8 are now available (emergency release)
This email is going out to many thousands of registered Moodle admins. You are receiving this email because you asked for Moodle security news when you registered a Moodle site. If you don’t want these emails then please re-register your site with your new preferences or use the unsubscribe link below. Replies to this email will not be read.
I’m writing today to let you know that Moodle 2.8.3, 2.7.5 and 2.6.8 are available via the usual open download channels: https://download.moodle.org or Git. Last week a critical security issue was reported in Moodle and we have made a decision to make an emergency release.
Note that the 2.6 branch is now supported for security fixes only. This emergency release does not shift the normal release schedule and the next minor release will happen as planned on the second Monday of March.
Release notes are available for each new version.
As well as a long list of bug fixes, performance improvements and polishing, there is a critical security issue you should be aware of. Details of this security issue are listed below.
As a registered Moodle admin we are giving you advance notice of these issues so you have some time to fix them before we publish them more widely on https://moodle.org/security in one week.
To avoid leaving your site vulnerable, we highly recommend you upgrade your sites to the latest Moodle version as soon as you can.
This vulnerability is present in all Moodle versions starting from 2.3. On versions 2.3.x and 2.4.x it can only be exploited on Windows servers, starting from Moodle 2.5 it can be exploited on servers with any operating system. If you host any of unsupported versions or can not upgrade a supported version straight away you should apply the fix manually to protect your server. Also as a temporary workaround the webserver can be configured to prevent access to URLs containing “../” or “..”, although we do not recommend to use it as a permanent solution.
Thanks, as always, to EVERYONE involved in reporting and fixing issues. It really is a team effort and one with more and more people involved all the time.
Thanks for using Moodle and being part of the Moodle open source community.
Development Process Manager, Moodle HQ
MSA-15-0009: Directory Traversal Attack possible through some files serving JS
Description: Parameter "file" passed to scripts serving JS was not
always cleaned from including "../" in the path, allowing
to read files located outside of moodle directory. All OS
are affected but especially vulnerable are Windows servers
Issue summary: Preauthenticated Local File Disclosure
Versions affected: 2.8 to 2.8.2, 2.7 to 2.7.4, 2.6 to 2.6.7 and earlier
Versions fixed: 2.8.3, 2.7.5 and 2.6.8
Reported by: Emiel Florijn
Issue no.: MDL-48980 and MDL-48990
Workaround: Prevent access to URLs containing "../" or ".." in web
CVE identifier: CVE-2015-0246
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48980