Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 19 May 2014 09:43:47 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0014: Cross-site request forgery possible in Assignment

Description:       Session checking was not being performed correctly
                   in Assignment's quick-grading, allowing forged
                   requests to be made unknowingly by authenticated
                   users.
Issue summary:     Cross-Site Request Forgery
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Gerry Hall
Issue no.:         MDL-44606
CVE identifier:    CVE-2014-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606

=======================================================================
MSA-14-0015: Web service token expiry issue for MoodleMobile

Description:       MoodleMobile web service tokens were not expiring.
Issue summary:     Tokens created automatically in login/token.php are
                   valid forever
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Juan Leyva
Issue no.:         MDL-43119
CVE identifier:    CVE-2014-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43119

=======================================================================
MSA-14-0016: Anonymous student identity revealed in assignment

Description:       Some student details were included in assignment
                   marking pages and would have been revealed to
                   screen readers or through code inspection.
Issue summary:     Blind marking reveals identities to screen readers
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Damyon Wiese
Issue no.:         MDL-44750
CVE identifier:    CVE-2014-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750

=======================================================================
MSA-14-0017: File access issue in HTML block

Description:       Access to files linked on HTML blocks on the My home
                   page was not being checked in the correct context
                   allowing access to unauthenticated users.
Issue summary:     Files linked in HTML blocks on My home are available
                   to non authenticated users
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Mike Wilson
Issue no.:         MDL-43877
CVE identifier:    CVE-2014-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877

=======================================================================
MSA-14-0018: Information leak in courses

Description:       Details of hidden courses were being revealed to
                   unauthenticated users on enrolment pages by URL
                   manipulation.
Issue summary:     Hidden course name and summary visible to guests
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.2
Versions fixed:    2.7 and 2.6.3
Reported by:       Marina Glancy
Issue no.:         MDL-45126
CVE identifier:    CVE-2014-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45126

=======================================================================
MSA-14-0019: Reflected XSS in URL downloader repository

Description:       There was a lack of filtering in the URL downloader
                   repository that could have been exploited for XSS.
Issue summary:     Reflected Cross site scripting in URL downloader
                   repository
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Yogendra Sharma
Issue no.:         MDL-45332
CVE identifier:    CVE-2014-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTeWHTAAoJECGmGwK/mszP2NUH/RyVZBVQC5GO+3ZBGOiuBrtq
AvHnBfiKXpk+p5RXnDicHaqtIEdYpFDK7cVdlb3k1xiGZYraNP8b9pefHBk/GZMy
QmcKkT78pZj9b7cvs0SiGiksiIpYS3MwmZsWtOCjjH6VawQQL4kpZDoGi8ezyXpJ
MiAQ5C069IcoEkrKuBxCsNla+ezFN9+C+PaWPzpCjjf6aHxURFVD2Mv27VNF+Tcv
GjlslZ7s8VYmczyt0rM3ZSRQDprhzIlsXXUsEybEAxiakmmBEic0QjNw/Y6aPMHO
JjEWDc/QAVP+5eL9HdbNWmbzqtBR9ViTUQqg4idYQK8m2Vuh9O2Yd9GrgBU7ZQM=
=dm4s
-----END PGP SIGNATURE-----


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3748 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.