Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Jan 2016 11:56:30 +0800
From: Marina Glancy <marina@...dle.com>
To: oss-security@...ts.openwall.com
Subject: [vs] moodle security release

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Marina Glancy
Development Process Manager
e: marina@...dle.com
p: +61 8 9467 4167 w: moodle.com

==============================================================================
MSA-16-0001: Two enrolment-related web services don't check course visibility

Description:       Web services core_enrol_get_course_enrolment_methods and
                   enrol_self_get_instance_info did not check user permission
                   to access hidden courses
Issue summary:     External functions core_enrol_get_course_enrolment_methods
                   and enrol_self_get_instance_info don't check course
                   visibility
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.1, 2.9 to 2.9.3, 2.8 to 2.8.9, 2.7 to 2.7.11 and
                   earlier unsupported versions
Versions fixed:    3.0.2, 2.9.4, 2.8.10 and 2.7.12
Reported by:       Juan Leyva
Issue no.:         MDL-52072
CVE identifier:    CVE-2016-0724
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52072

==============================================================================
MSA-16-0002: XSS Vulnerability in course management search

Description:       Search string in course management interface was not
                   escaped when being output creating potential for XSS attack
Issue summary:     XSS Vulnerability in course management search
Severity/Risk:     Serious
Versions affected: 3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9
Versions fixed:    3.0.2, 2.9.4 and 2.8.10
Reported by:       Oliveira Lima
Issue no.:         MDL-52552
CVE identifier:    CVE-2016-0725
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52552

==============================================================================

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.