Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 15 Sep 2014 08:44:20 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0033: URL parameter injection in CAS authentication

Description:       A flaw in the third-party CAS library, utilised by
                    Moodle, has been found, which could potentially
                    allow unauthorised access and privilege escalation.
Issue summary:     Upgrade phpCAS to 1.3.3 or greater - security
                    vulnerabilities
Severity/Risk:     Serious
Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier
                    unsupported versions
Versions fixed:    2.7.2 and 2.6.5 (NOTE: A fix to 2.5 was not
                    possible. CAS users with Moodle 2.5 or earlier are
                    encouraged to upgrade to a more recent release.)
Reported by:       Eric Merrill
Issue no.:         MDL-46766
CVE identifier:    CVE-2014-4172
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766

=======================================================================
MSA-14-0034: Identity information revealed early in Q&A forum

Description:       Users who had not yet posted the required answer in
                    a Q&A forum in order to access past posts were able
                    to see the name of the last person who had posted.
Issue summary:     Other authors are visible in /mod/forum/view.php
                    before student has posted their own answer.
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier
                    unsupported versions
Versions fixed:    2.7.2, 2.6.5 and 2.5.8
Reported by:       Amanda Doughty
Issue no.:         MDL-46619
CVE identifier:    CVE-2014-3617
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619

=======================================================================

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ