Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 21 May 2013 08:28:30 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

The following security notifications are now public. Thanks to OSS 
members for their cooperation.

=======================================================================
MSA-13-0020: Capability issue in Assignment

Description:       The assignment module was not checking capabilities
                    for users downloading all assignments as a zip.
Issue summary:     Students can download assignments submitted by other
                    students
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed:    2.5, 2.4.4 and 2.3.7
Reported by:       Phillip Franks
Issue no.:         MDL-38443
CVE Identifier:    CVE-2013-2079
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443

=======================================================================
MSA-13-0021: Potential information leak in Gradebook

Description:       The Gradebook's Overview report was showing grade
                    totals that may have incorrectly included hidden
                    grades.
Issue summary:     The method for figuring out
                    showtotalsifcontainhidden on the overview report is
                    flawed
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4 and 2.3.7
Reported by:       Andrew Davis
Issue no.:         MDL-37475
CVE Identifier:    CVE-2013-2080
Workaround:        Ensure all courses have the same value for hiding
                    grades in the gradebook. This is set at
                    Administration > Grades > Course grade settings >
                    Hide totals if they contain hidden items
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475

=======================================================================
MSA-13-0022: Information leak in hub registration

Description:       When registering a site on a hub (not Moodle.net)
                    site information was being sent to the hub
                    regardless of settings chosen.
Issue summary:     Moodle send site information to a hub even though
                    it's unchecked
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Jérôme Mouneyrac
Issue no.:         MDL-37822
CVE Identifier:    CVE-2013-2081
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822

=======================================================================
MSA-13-0023: Permission issue in blog comments

Description:       There was no check of permissions for viewing
                    comments on blog posts.
Issue summary:     Blog comment validation should verify that the user
                    can view a post.
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Dan Poltawski
Issue no.:         MDL-37245
CVE Identifier:    CVE-2013-2082
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245

=======================================================================
MSA-13-0024: Form filtering issue

Description:       Form elements named using a specific naming
                    scheme were not being filtered correctly
Issue summary:     Elements named foo[i] are not cleaned properly
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Dan Poltawski
Issue no.:         MDL-38885
CVE Identifier:    CVE-2013-2083
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.