Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 11 Dec 2009 21:50:26 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security <oss-security@...ts.openwall.com>,
        oss-security <oss-security@...ts.openwall.com>
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- moodle 1.9.7 and 1.8.11


On Sun, 6 Dec 2009, Jan Lieskovsky wrote:

>    * MSA-09-0022 - Multiple CSRF problems fixed

Use CVE-2009-4297


>    * MSA-09-0023 - Fixed user account disclosure in LAMS module

Use CVE-2009-4298


>    * MSA-09-0024 - Fixed insufficient access control in Glossary module


Use CVE-2009-4299

>    * MSA-09-0025 - Unneeded MD5 hashes removed from user table


Use CVE-2009-4300

>    * MSA-09-0026 - Fixed invalid application access control in MNET 
> interface

Use CVE-2009-4301


>    * MSA-09-0027 - Ensured login information is always sent secured when 
> using SSL for logins

Use CVE-2009-4302


>    * MSA-09-0028 - Passwords and secrets are no longer ever saved in 
> backups, new backup capabilities
>                    moodle/backup:userinfo and moodle/restore:userinfo for 
> controlling who can
>                    backup/restore user data, new checks in the security 
> overview report help
>                    admins identify dangerous backup permissions

Use CVE-2009-4303

This will be focused on the storage of passwords and secrets in backups; 
the remainder are considered defense-in-depth changes and not being 
considered for CVE.  (Arguments welcome.)


>    * MSA-09-0029 - A strong password policy is now enabled by default, 
> enabling password salt
>                    in encouraged in config.php, admins are forced to change 
> password after the
>                    upgrade and admins can force password change on other 
> users via Bulk user actions

Use CVE-2009-4304

This will focus on the lack of password salt; the remainder are considered 
defense-in-depth changes and not being considered for CVE.  (Arguments 
welcome.)


>    * MSA-09-0030 - New detection of insecure Flash player plugins, Moodle 
> won't serve Flash to insecure plugins

This seems to be a defense-in-depth fix, which typically does not receive 
a CVE.


>    * MSA-09-0031 - Fixed SQL injection in SCORM module

Use CVE-2009-4305


Descriptions will be filled in later.

- Steve

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ