Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAB_jSYzeDXmorPQ8h+eb1j3vxUuJTEJvk--OAGi6ywY+i6eV+w@mail.gmail.com>
Date: Mon, 13 Jul 2015 10:39:20 +1000
From: Marina Glancy <marina@...dle.com>
To: oss-security@...ts.openwall.com
Subject: moodle security announcements

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Marina Glancy
Development Process Manager
marina@...dle.com
+61894674167 | moodle.com
The world's open source learning platform

==============================================================================
MSA-15-0026: Possible phishing when redirecting to external site using referer
header

Description:       Another case when redirecting to external site was possible
                   in error messages. See also MSA-15-0019 (CVE-2015-3175)
Issue summary:     PARAM_LOCALURL is vulnerable to open redirects
Severity/Risk:     Minor
Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported
                   versions
Versions fixed:    2.9.1, 2.8.7 and 2.7.9
Reported by:       Totara
Issue no.:         MDL-50688
CVE identifier:    CVE-2015-3272
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50688

==============================================================================
MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when
using 'Post a copy to all groups' in forum

Description:       Capability 'mod/forum:canposttomygroups' was not respected
                   when using 'Post a copy to all groups' in forum. Capability
                   to post to each individual group was always required.
Issue summary:     canposttomygroups capability is not checked in
                   mod/forum/post.php
Severity/Risk:     Minor
Versions affected: 2.9
Versions fixed:    2.9.1
Reported by:       Juan Leyva
Issue no.:         MDL-50220
CVE identifier:    CVE-2015-3273
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50220

==============================================================================
MSA-15-0028: Possible XSS through custom text profile fields in Web Services

Description:       Several web services returning user information did not
                   clean text in text custom profile fields
Issue summary:     Custom profile fields (textarea) are not passed through
                   external_format_text when returned by several web services
Severity/Risk:     Minor
Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported
                   versions
Versions fixed:    2.9.1, 2.8.7 and 2.7.9
Reported by:       Marina Glancy
Issue no.:         MDL-50130
CVE identifier:    CVE-2015-3274
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130

==============================================================================
MSA-15-0029: Javascript injection in SCORM module

Description:       Penetration test discovered possible Javascript injection
                   in SCORM module
Issue summary:     Inadequate JavaScript Handling in SCORM
Severity/Risk:     Minor
Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported
                   versions
Versions fixed:    2.9.1, 2.8.7 and 2.7.9
Reported by:       Martin Greenaway
Issue no.:         MDL-50614
CVE identifier:    CVE-2015-3275
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50614

==============================================================================

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.