Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAB_jSYzrYau1c_zEO-BczpEKc7W617NKeuphfJt=HLgE9bMbfA@mail.gmail.com>
Date: Tue, 17 May 2016 17:01:24 +0800
From: Marina Glancy <marina@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security release 3.0.4, 2.9.6, 2.8.12, 2.7.14

The following security notifications have now been made public
following release of Moodle 3.0.4, 2.9.6, 2.8.12 and 2.7.14. Thanks to
OSS members for their cooperation.

==============================================================================
MSA-16-0013: Users are able to change profile fields that were locked by the
administrator

Description:       User editing form only disabled the profile fields in UI
                   and did not actually prevent users from editing them
Issue summary:     Tricky users can change locked profile fields
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
                   and earlier unsupported versions
Versions fixed:    3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:       Vadim Dvorovenko
Issue no.:         MDL-53954
CVE identifier:    CVE-2016-3729
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954

==============================================================================
MSA-16-0015: Information disclosure of hidden forum names and sub-names.

Description:       Name of the inaccessible forum or forum discussion could be
                   disclosed as part of the error message on the subscription
                   page
Issue summary:     Information disclosure of hidden forum names and sub-names.
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed:    3.0.4, 2.9.6 and 2.8.12
Reported by:       Callum
Issue no.:         MDL-53696
CVE identifier:    CVE-2016-3731
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696

==============================================================================
MSA-16-0016: User can view badges of other users without proper permissions

Description:       Capability check to view other badges was performed for the
                   current user instead for the user whose badges are being
                   viewed
Issue summary:     Badges code checks viewotherbadges capability in the wrong
                   context
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
                   and earlier unsupported versions
Versions fixed:    3.0.4, 2.9.6 and 2.8.12
Reported by:       Tim Hunt
Issue no.:         MDL-53589
CVE identifier:    CVE-2016-3732
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589

==============================================================================
MSA-16-0017: Course idnumber not protected from teacher restore

Description:       During the course restore teacher could overwrite idnumber
                   even without having the capability to change it
Issue summary:     Course idnumber not protected from teacher restore
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
                   and earlier unsupported versions
Versions fixed:    3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:       Donna Hrynkiw
Issue no.:         MDL-51369
CVE identifier:    CVE-2016-3733
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369

==============================================================================
MSA-16-0018: CSRF in script marking forum posts as read

Description:       CSRF possible in the URL that marks forum posts as read
Issue summary:     Forum markposts.php missing sesskey check
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
                   and earlier unsupported versions
Versions fixed:    3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:       Andrew Nicols
Issue no.:         MDL-53755
CVE identifier:    CVE-2016-3734
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755

==============================================================================

Marina Glancy
Development Process Manager
e: marina@...dle.com
p: +61 8 9467 4167 w: moodle.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.