moodle versions and updates

alexispellicier · November 1, 2011, 10:18am

Hello,

There is 3 versions of moodle on moodle.org: 1.9.14,2.0.5 and 2.1.2

From the education repo 1.9.13 and 2.0.2 are available.

Those versions are affected by these security issues :
-MSA-11-0038: Database injection protection strengthened
-MSA-11-0039: Wiki section vulnerability
Which are describe as serious (Moodle.org: Security news)

Is there a plan to provide an update soon? Shall we better not use education repo for installing moodle?

Thank you for your advice.

ken_yap · November 1, 2011, 11:51am

You’re actually better off installing Moodle from CVS from moodle.org, then you can update anytime.

PS: We are not devs and it’s not certain that the packager hangs around these forums.

alexispellicier · November 1, 2011, 1:44pm

I’ll do that and delete the education repo from my server so I can be certain no compromise software could be install on my system.

Thank you.

lrupp · November 2, 2011, 2:53pm

In such cases, just find out the one who is currently maintaining the package:
rpm -q --changelog moodle1 | less
=> have a look at the mentioned Email addresses…
And write her/him an Email requesting an update. You can also open a bug at https://bugzilla.novell.com/ about the issue.

This works much faster than asking here in the Forum, where packagers normally are not available.

DenverD · November 2, 2011, 7:55pm

On 11/02/2011 02:56 PM, lrupp wrote:
>
> This works much faster than asking here in the Forum, where packagers
> normally are not available.

thanks!! for coming by…please do so more often…(try it via
nntp…looks and feels more gooder!)

–
DD
openSUSE®, the “German Automobiles” of operating systems

alexispellicier · November 2, 2011, 9:05pm

This works much faster than asking here in the Forum, where packagers normally are not available.[/QUOTE]

OK thank for the tip I was wondering where I could find this information.
I’ll definitively send him a mail about that issue.

lrupp · November 25, 2011, 9:22am

looking at the repos, it looks to me like the problem is fixed. So as result: trying to find the “right” channel is never easy - but at least for reaching packagers someone should better try to reach them via direct Email, opensuse-edu@opensuse.org mailinglist or (maybe) the #opensuse-edu channel on irc.freenode.net

alexispellicier · November 25, 2011, 9:31am

Indeed!
I got an answer the same day I send direct email to packager.
Thanks again.