Due to a recent emergency security release of Moodle, CLAMP is issuing new versions of all of its supported releases. CLAMP strongly recommends that you upgrade to one of these security releases.
Moodle is withholding public details of the vulnerability until next week. Registered Moodle admins should have received details via email. The vulnerability could allow authenticated users to submit malformed requests to get files outside of the Moodle directory.
You can download the updates from their project pages:
- Moodle 2.8.3+Liberal Arts Edition 8.0.2
- Moodle 2.7.5+Liberal Arts Edition 7.0.4
- Moodle 2.6.8+Liberal Arts Edition 6.0.7
The next stable releases on the 2.8, 2.7 and 2.6 branches are still slated for March 16.
Versions prior to 2.6 are also vulnerable. In Moodle 2.3 and 2.4, only instances hosted on Windows are vulnerable. Starting with Moodle 2.5, the vulnerability affected all server operating systems. If you are running one of these versions in production, you should apply the fix directly. If this applies to you and you need help, please contact wlee@carleton.edu or fultonc@lafayette.edu for help.