Date: Mon, 20 Jan 2014 08:59:55 +0800 From: Michael de Raadt <michaeld@...dle.com> To: oss-security@...ts.openwall.com Subject: Moodle security notifications public -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following security notifications are now public after release. Thanks to OSS members for their continued cooperation. ======================================================================= MSA-14-0001: Config passwords visibility issue Description: Some password changes on admin pages were being recorded and shown to administrators in the config log report. Issue summary: Config Changes Report reveals passwords as plain text Severity/Risk: Minor Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7 and earlier unsupported versions Versions fixed: 2.6.1, 2.5.4 and 2.4.8 Reported by: Andrew Steele Issue no.: MDL-36721 CVE identifier: CVE-2014-0008 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36721 ======================================================================= MSA-14-0002: Group constraints lacking in "login as" Description: Users were able to log in as a user who in a is not in the same group without the permission to see all groups. Issue summary: Users with loginas permission and access all groups prohibited can login as user not in their group by direct url Severity/Risk: Minor Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and earlier unsupported versions Versions fixed: 2.6.1, 2.5.4, 2.4.8 and 2.3.11 Reported by: Itamar Tzadok Issue no.: MDL-42643 CVE identifier: CVE-2014-0009 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643 ======================================================================= MSA-14-0003: Cross-site request forgery vulnerability in profile fields Description: Custom profile fields and categories were open to deletion without proper session checking. Issue summary: Two Cross-site Request Forgery(CSRF) vulnerabilities found in /user/profile/index.php Severity/Risk: Serious Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and earlier unsupported versions Versions fixed: 2.6.1, 2.5.4, 2.4.8 and 2.3.11 Reported by: Jun Zhu Issue no.: MDL-42883 CVE identifier: CVE-2014-0010 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42883 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS3HS7AAoJECGmGwK/mszPKxMIAIkiFaKtzEKI/3n4TOqU5AcF Mkm4k60lQgXxRYVptpReDqCUEX08oI86rCtz8vqNx0p04nerhd54An6l9E6uRQrg 40uHGR++LkD2ULflZyFPyQl+GgzGiuAtkvlIq84k5t5WtpkfqQi9DA5GMEpRzu4G 26yCd1oaVKPr22vLfGGbjtYdDHaSGTEdFuB6hvDM5pl7WsTzNg35n9Bwb7QnmbqL saMiPrRJ8uVgDqP6roZDuidMTdOcxHPfAxuv4pNhkTbjmB4jtYs7Wz91sbqX90cb u8LbFygvgZ5UnjuCxVlycL/MLaMDr8ucfl1tVBWp/iBzipd0AOh6zurI1tijORs= =xb4F -----END PGP SIGNATURE----- Download attachment "smime.p7s" of type "application/pkcs7-signature" (3748 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.