Date: Mon, 15 Sep 2014 08:44:20 +0800 From: Michael de Raadt <michaeld@...dle.com> To: oss-security@...ts.openwall.com Subject: Moodle security notifications public The following security notifications are now public after release. Thanks to OSS members for their continued cooperation. ======================================================================= MSA-14-0033: URL parameter injection in CAS authentication Description: A flaw in the third-party CAS library, utilised by Moodle, has been found, which could potentially allow unauthorised access and privilege escalation. Issue summary: Upgrade phpCAS to 1.3.3 or greater - security vulnerabilities Severity/Risk: Serious Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions Versions fixed: 2.7.2 and 2.6.5 (NOTE: A fix to 2.5 was not possible. CAS users with Moodle 2.5 or earlier are encouraged to upgrade to a more recent release.) Reported by: Eric Merrill Issue no.: MDL-46766 CVE identifier: CVE-2014-4172 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766 ======================================================================= MSA-14-0034: Identity information revealed early in Q&A forum Description: Users who had not yet posted the required answer in a Q&A forum in order to access past posts were able to see the name of the last person who had posted. Issue summary: Other authors are visible in /mod/forum/view.php before student has posted their own answer. Severity/Risk: Minor Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions Versions fixed: 2.7.2, 2.6.5 and 2.5.8 Reported by: Amanda Doughty Issue no.: MDL-46619 CVE identifier: CVE-2014-3617 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619 =======================================================================
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ