Date: Fri, 11 Dec 2009 21:50:26 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security <oss-security@...ts.openwall.com>, oss-security <oss-security@...ts.openwall.com> cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- moodle 1.9.7 and 1.8.11 On Sun, 6 Dec 2009, Jan Lieskovsky wrote: > * MSA-09-0022 - Multiple CSRF problems fixed Use CVE-2009-4297 > * MSA-09-0023 - Fixed user account disclosure in LAMS module Use CVE-2009-4298 > * MSA-09-0024 - Fixed insufficient access control in Glossary module Use CVE-2009-4299 > * MSA-09-0025 - Unneeded MD5 hashes removed from user table Use CVE-2009-4300 > * MSA-09-0026 - Fixed invalid application access control in MNET > interface Use CVE-2009-4301 > * MSA-09-0027 - Ensured login information is always sent secured when > using SSL for logins Use CVE-2009-4302 > * MSA-09-0028 - Passwords and secrets are no longer ever saved in > backups, new backup capabilities > moodle/backup:userinfo and moodle/restore:userinfo for > controlling who can > backup/restore user data, new checks in the security > overview report help > admins identify dangerous backup permissions Use CVE-2009-4303 This will be focused on the storage of passwords and secrets in backups; the remainder are considered defense-in-depth changes and not being considered for CVE. (Arguments welcome.) > * MSA-09-0029 - A strong password policy is now enabled by default, > enabling password salt > in encouraged in config.php, admins are forced to change > password after the > upgrade and admins can force password change on other > users via Bulk user actions Use CVE-2009-4304 This will focus on the lack of password salt; the remainder are considered defense-in-depth changes and not being considered for CVE. (Arguments welcome.) > * MSA-09-0030 - New detection of insecure Flash player plugins, Moodle > won't serve Flash to insecure plugins This seems to be a defense-in-depth fix, which typically does not receive a CVE. > * MSA-09-0031 - Fixed SQL injection in SCORM module Use CVE-2009-4305 Descriptions will be filled in later. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.