Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 25 Nov 2013 08:49:06 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
CC: Kurt Seifried <kseifried@...hat.com>
Subject: Moodle security notifications public

The following security notifications are now public after a delayed release.

*Please note that the MSA security numbers reported earlier were 
incorrect and out of sequence. These should be corrected.*

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-13-0036 (not MSA-13-25): Incorrect headers sent for secured resources

Description:       Some files were being delivered with incorrect
                    headers, meaning they could be cached downstream.
Issue summary:     Incorrect headers emitted for secured resources
Severity/Risk:     Minor
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                    earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Tony Levi
Issue no.:         MDL-38743, MDL-42686
CVE identifier:    CVE-2013-4522
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743

=======================================================================
MSA-13-0037 (not MSA-13-26): Cross site scripting in Messages

Description:       JavaScript in messages was being executed on some
                    pages.
Issue summary:     Cross Site Scripting in Messages
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                    earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Panagiotis Petasis
Issue no.:         MDL-41941
CVE identifier:    CVE-2013-4523
Workaround:        Disable messages
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941

=======================================================================
MSA-13-0038 (not MSA-13-27): Access to server files through repository

Description:       The file system repository was allowing access
                    to files beyond the Moodle file area.
Issue summary:     File System repository gives read access to the
                    whole file system
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                    earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Frédéric Massart
Issue no.:         MDL-41807
CVE identifier:    CVE-2013-4524
Workaround:        Do not enable File System repository (default)
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807

=======================================================================
MSA-13-0039 (not MSA-13-28): Cross site scripting in Quiz

Description:       JavaScript in question answers was being executed on
                    the Quiz Results page.
Issue summary:     XSS on view quiz results page
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                    earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Michael Hess
Issue no.:         MDL-41820
CVE identifier:    CVE-2013-4525
Workaround:        Disable text-based question types.
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820

=======================================================================
MSA-13-0040: Cross site scripting vulnerability in YUI library

Description:       Flash files distributed with the YUI library
                    may have allowed for cross-site scripting attacks.
                    This is additional to MSA-13-0025.
Issue summary:     YUI2 security vulnerability
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:    2.3.10
Reported by:       Petr Škoda
Issue no.:         MDL-42780
CVE identifier:    CVE-2013-6780
Workaround:        Remove all SWF files under the lib/yui directory.
Changes (2.3): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42780

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ