Date: Mon, 20 Jan 2014 08:59:55 +0800 From: Michael de Raadt <michaeld@...dle.com> To: oss-security@...ts.openwall.com Subject: Moodle security notifications public -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following security notifications are now public after release. Thanks to OSS members for their continued cooperation. ======================================================================= MSA-14-0001: Config passwords visibility issue Description: Some password changes on admin pages were being recorded and shown to administrators in the config log report. Issue summary: Config Changes Report reveals passwords as plain text Severity/Risk: Minor Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7 and earlier unsupported versions Versions fixed: 2.6.1, 2.5.4 and 2.4.8 Reported by: Andrew Steele Issue no.: MDL-36721 CVE identifier: CVE-2014-0008 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36721 ======================================================================= MSA-14-0002: Group constraints lacking in "login as" Description: Users were able to log in as a user who in a is not in the same group without the permission to see all groups. Issue summary: Users with loginas permission and access all groups prohibited can login as user not in their group by direct url Severity/Risk: Minor Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and earlier unsupported versions Versions fixed: 2.6.1, 2.5.4, 2.4.8 and 2.3.11 Reported by: Itamar Tzadok Issue no.: MDL-42643 CVE identifier: CVE-2014-0009 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643 ======================================================================= MSA-14-0003: Cross-site request forgery vulnerability in profile fields Description: Custom profile fields and categories were open to deletion without proper session checking. Issue summary: Two Cross-site Request Forgery(CSRF) vulnerabilities found in /user/profile/index.php Severity/Risk: Serious Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and earlier unsupported versions Versions fixed: 2.6.1, 2.5.4, 2.4.8 and 2.3.11 Reported by: Jun Zhu Issue no.: MDL-42883 CVE identifier: CVE-2014-0010 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42883 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS3HS7AAoJECGmGwK/mszPKxMIAIkiFaKtzEKI/3n4TOqU5AcF Mkm4k60lQgXxRYVptpReDqCUEX08oI86rCtz8vqNx0p04nerhd54An6l9E6uRQrg 40uHGR++LkD2ULflZyFPyQl+GgzGiuAtkvlIq84k5t5WtpkfqQi9DA5GMEpRzu4G 26yCd1oaVKPr22vLfGGbjtYdDHaSGTEdFuB6hvDM5pl7WsTzNg35n9Bwb7QnmbqL saMiPrRJ8uVgDqP6roZDuidMTdOcxHPfAxuv4pNhkTbjmB4jtYs7Wz91sbqX90cb u8LbFygvgZ5UnjuCxVlycL/MLaMDr8ucfl1tVBWp/iBzipd0AOh6zurI1tijORs= =xb4F -----END PGP SIGNATURE----- [ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ