Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 11 Dec 2009 21:50:26 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security <oss-security@...ts.openwall.com>,
        oss-security <oss-security@...ts.openwall.com>
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- moodle 1.9.7 and 1.8.11


On Sun, 6 Dec 2009, Jan Lieskovsky wrote:

>    * MSA-09-0022 - Multiple CSRF problems fixed

Use CVE-2009-4297


>    * MSA-09-0023 - Fixed user account disclosure in LAMS module

Use CVE-2009-4298


>    * MSA-09-0024 - Fixed insufficient access control in Glossary module


Use CVE-2009-4299

>    * MSA-09-0025 - Unneeded MD5 hashes removed from user table


Use CVE-2009-4300

>    * MSA-09-0026 - Fixed invalid application access control in MNET 
> interface

Use CVE-2009-4301


>    * MSA-09-0027 - Ensured login information is always sent secured when 
> using SSL for logins

Use CVE-2009-4302


>    * MSA-09-0028 - Passwords and secrets are no longer ever saved in 
> backups, new backup capabilities
>                    moodle/backup:userinfo and moodle/restore:userinfo for 
> controlling who can
>                    backup/restore user data, new checks in the security 
> overview report help
>                    admins identify dangerous backup permissions

Use CVE-2009-4303

This will be focused on the storage of passwords and secrets in backups; 
the remainder are considered defense-in-depth changes and not being 
considered for CVE.  (Arguments welcome.)


>    * MSA-09-0029 - A strong password policy is now enabled by default, 
> enabling password salt
>                    in encouraged in config.php, admins are forced to change 
> password after the
>                    upgrade and admins can force password change on other 
> users via Bulk user actions

Use CVE-2009-4304

This will focus on the lack of password salt; the remainder are considered 
defense-in-depth changes and not being considered for CVE.  (Arguments 
welcome.)


>    * MSA-09-0030 - New detection of insecure Flash player plugins, Moodle 
> won't serve Flash to insecure plugins

This seems to be a defense-in-depth fix, which typically does not receive 
a CVE.


>    * MSA-09-0031 - Fixed SQL injection in SCORM module

Use CVE-2009-4305


Descriptions will be filled in later.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.