Date: Mon, 15 Sep 2014 08:44:20 +0800 From: Michael de Raadt <michaeld@...dle.com> To: oss-security@...ts.openwall.com Subject: Moodle security notifications public The following security notifications are now public after release. Thanks to OSS members for their continued cooperation. ======================================================================= MSA-14-0033: URL parameter injection in CAS authentication Description: A flaw in the third-party CAS library, utilised by Moodle, has been found, which could potentially allow unauthorised access and privilege escalation. Issue summary: Upgrade phpCAS to 1.3.3 or greater - security vulnerabilities Severity/Risk: Serious Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions Versions fixed: 2.7.2 and 2.6.5 (NOTE: A fix to 2.5 was not possible. CAS users with Moodle 2.5 or earlier are encouraged to upgrade to a more recent release.) Reported by: Eric Merrill Issue no.: MDL-46766 CVE identifier: CVE-2014-4172 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766 ======================================================================= MSA-14-0034: Identity information revealed early in Q&A forum Description: Users who had not yet posted the required answer in a Q&A forum in order to access past posts were able to see the name of the last person who had posted. Issue summary: Other authors are visible in /mod/forum/view.php before student has posted their own answer. Severity/Risk: Minor Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions Versions fixed: 2.7.2, 2.6.5 and 2.5.8 Reported by: Amanda Doughty Issue no.: MDL-46619 CVE identifier: CVE-2014-3617 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619 =======================================================================
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.