Date: Fri, 11 Dec 2009 21:50:26 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security <oss-security@...ts.openwall.com>, oss-security <oss-security@...ts.openwall.com> cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- moodle 1.9.7 and 1.8.11 On Sun, 6 Dec 2009, Jan Lieskovsky wrote: > * MSA-09-0022 - Multiple CSRF problems fixed Use CVE-2009-4297 > * MSA-09-0023 - Fixed user account disclosure in LAMS module Use CVE-2009-4298 > * MSA-09-0024 - Fixed insufficient access control in Glossary module Use CVE-2009-4299 > * MSA-09-0025 - Unneeded MD5 hashes removed from user table Use CVE-2009-4300 > * MSA-09-0026 - Fixed invalid application access control in MNET > interface Use CVE-2009-4301 > * MSA-09-0027 - Ensured login information is always sent secured when > using SSL for logins Use CVE-2009-4302 > * MSA-09-0028 - Passwords and secrets are no longer ever saved in > backups, new backup capabilities > moodle/backup:userinfo and moodle/restore:userinfo for > controlling who can > backup/restore user data, new checks in the security > overview report help > admins identify dangerous backup permissions Use CVE-2009-4303 This will be focused on the storage of passwords and secrets in backups; the remainder are considered defense-in-depth changes and not being considered for CVE. (Arguments welcome.) > * MSA-09-0029 - A strong password policy is now enabled by default, > enabling password salt > in encouraged in config.php, admins are forced to change > password after the > upgrade and admins can force password change on other > users via Bulk user actions Use CVE-2009-4304 This will focus on the lack of password salt; the remainder are considered defense-in-depth changes and not being considered for CVE. (Arguments welcome.) > * MSA-09-0030 - New detection of insecure Flash player plugins, Moodle > won't serve Flash to insecure plugins This seems to be a defense-in-depth fix, which typically does not receive a CVE. > * MSA-09-0031 - Fixed SQL injection in SCORM module Use CVE-2009-4305 Descriptions will be filled in later. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ