Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <52DC750B.5010301@moodle.com>
Date: Mon, 20 Jan 2014 08:59:55 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0001: Config passwords visibility issue

Description:       Some password changes on admin pages were being
                   recorded and shown to administrators in the config
                   log report.
Issue summary:     Config Changes Report reveals passwords as plain
                   text
Severity/Risk:     Minor
Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7 and earlier
                   unsupported versions
Versions fixed:    2.6.1, 2.5.4 and 2.4.8
Reported by:       Andrew Steele
Issue no.:         MDL-36721
CVE identifier:    CVE-2014-0008
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36721

=======================================================================
MSA-14-0002: Group constraints lacking in "login as"

Description:       Users were able to log in as a user who in a is not
                   in the same group without the permission to see all
                   groups.
Issue summary:     Users with loginas permission and access all groups
                   prohibited can login as user not in their group by
                   direct url
Severity/Risk:     Minor
Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and
                   earlier unsupported versions
Versions fixed:    2.6.1, 2.5.4, 2.4.8 and 2.3.11
Reported by:       Itamar Tzadok
Issue no.:         MDL-42643
CVE identifier:    CVE-2014-0009
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643

=======================================================================
MSA-14-0003: Cross-site request forgery vulnerability in profile fields

Description:       Custom profile fields and categories were open to
                   deletion without proper session checking.
Issue summary:     Two Cross-site Request Forgery(CSRF) vulnerabilities
                   found in /user/profile/index.php
Severity/Risk:     Serious
Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and
                   earlier unsupported versions
Versions fixed:    2.6.1, 2.5.4, 2.4.8 and 2.3.11
Reported by:       Jun Zhu
Issue no.:         MDL-42883
CVE identifier:    CVE-2014-0010
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42883
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJS3HS7AAoJECGmGwK/mszPKxMIAIkiFaKtzEKI/3n4TOqU5AcF
Mkm4k60lQgXxRYVptpReDqCUEX08oI86rCtz8vqNx0p04nerhd54An6l9E6uRQrg
40uHGR++LkD2ULflZyFPyQl+GgzGiuAtkvlIq84k5t5WtpkfqQi9DA5GMEpRzu4G
26yCd1oaVKPr22vLfGGbjtYdDHaSGTEdFuB6hvDM5pl7WsTzNg35n9Bwb7QnmbqL
saMiPrRJ8uVgDqP6roZDuidMTdOcxHPfAxuv4pNhkTbjmB4jtYs7Wz91sbqX90cb
u8LbFygvgZ5UnjuCxVlycL/MLaMDr8ucfl1tVBWp/iBzipd0AOh6zurI1tijORs=
=xb4F
-----END PGP SIGNATURE-----


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3748 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.