Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 21 May 2013 08:28:30 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

The following security notifications are now public. Thanks to OSS 
members for their cooperation.

=======================================================================
MSA-13-0020: Capability issue in Assignment

Description:       The assignment module was not checking capabilities
                    for users downloading all assignments as a zip.
Issue summary:     Students can download assignments submitted by other
                    students
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed:    2.5, 2.4.4 and 2.3.7
Reported by:       Phillip Franks
Issue no.:         MDL-38443
CVE Identifier:    CVE-2013-2079
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443

=======================================================================
MSA-13-0021: Potential information leak in Gradebook

Description:       The Gradebook's Overview report was showing grade
                    totals that may have incorrectly included hidden
                    grades.
Issue summary:     The method for figuring out
                    showtotalsifcontainhidden on the overview report is
                    flawed
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4 and 2.3.7
Reported by:       Andrew Davis
Issue no.:         MDL-37475
CVE Identifier:    CVE-2013-2080
Workaround:        Ensure all courses have the same value for hiding
                    grades in the gradebook. This is set at
                    Administration > Grades > Course grade settings >
                    Hide totals if they contain hidden items
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475

=======================================================================
MSA-13-0022: Information leak in hub registration

Description:       When registering a site on a hub (not Moodle.net)
                    site information was being sent to the hub
                    regardless of settings chosen.
Issue summary:     Moodle send site information to a hub even though
                    it's unchecked
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Jérôme Mouneyrac
Issue no.:         MDL-37822
CVE Identifier:    CVE-2013-2081
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822

=======================================================================
MSA-13-0023: Permission issue in blog comments

Description:       There was no check of permissions for viewing
                    comments on blog posts.
Issue summary:     Blog comment validation should verify that the user
                    can view a post.
Severity/Risk:     Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Dan Poltawski
Issue no.:         MDL-37245
CVE Identifier:    CVE-2013-2082
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245

=======================================================================
MSA-13-0024: Form filtering issue

Description:       Form elements named using a specific naming
                    scheme were not being filtered correctly
Issue summary:     Elements named foo[i] are not cleaned properly
Severity/Risk:     Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
                    earlier unsupported versions
Versions fixed:    2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:       Dan Poltawski
Issue no.:         MDL-38885
CVE Identifier:    CVE-2013-2083
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ